We protect personal data under the new order of FSTEC. More answers or questions?
On May 15, 2013, the Ministry of Justice finally registered the order of FSTEC No. 21 of February 18, 2013 “On Approval of the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data When Processed in Personal Data Information Systems”.
Why is the long-awaited? Yes, because since the issuance of the Government of the Russian Federation No. 1119 (November 1, 2012), any questions on the technical protection of personal data have been in an indefinite suspension. It turned out like this: the new decree canceled the old classes of personal data information systems (ISPDn) and introduced the concept of “ISPDn security levels”, but how and in what case should be protected in each particular case did the new order of FSTEC, which we waited for “some then "half a year.
Immediately after the publication of the new order, a wave of enthusiastic reviews of the new document was sent online. Like, this is a huge step forward in the field of legislation on the protection of personal data. To some extent, this is true (given that the previous documents were immediately outdated and did not take into account many of the nuances of the functioning of modern information systems - mobile platforms, virtualization, etc.), but personally I have a lot of complaints about the new document.
')
In this article I will try to analyze in simple language the FSTEC of Russia document, weigh its pros and cons, and also try to answer the question “what should personal data operators do now?”.
In general, this is indeed a step forward in terms of lawmaking in the field of personal data protection. Finally, in the list of measures, we saw the mention of mobile devices and virtualization tools, which the legislators used to carefully avoid. Finally, there is no obligation as in the past order: “If you have ISPD 1 class, you need to spend n money on information security tools, if 2 classes, then nm money, and if 3 classes, then nmk money.”.
Now the situation is this: we have 15 groups of different technical and organizational measures, in each group there are from 2 to 20 different measures, opposite to each measure it is noted whether this measure is basic (I will call them conditionally obligatory below) for a certain level of protection (if it is a plus, then the base measure, if not - compensating). Here it should be noted that there are quite a few measures in the list that can only be compensating, that is, they are not marked with an advantage for any of the four levels of security.
The personal data operator operates according to the following algorithm:
- determines the level of security of its ISPDN according to PP 1119;
- selects all measures that are marked with a plus for the selected level of protection (basic measures);
- removes from the resulting list measures that are related to technologies not used in SPDN (for example, remove measures to protect the virtual infrastructure, if the means of virtualization are not used);
- looks at the resulting list of measures and compares with actual threats in the threat model, if the selected measures neutralize not all actual threats, adds to the list compensating measures necessary to neutralize all remaining threats;
- adds to the received list the measures defined in other regulatory acts (for example, in PP No. 1119 there are a small number of measures, and also there are general requirements in the Federal Law-152), after which it receives a final list of measures to be performed;
- executes measures from the final list ...
It seems that everything is simple: we determine the level of security, draw a threat model, select and clarify measures from the new order of the FSTEC, carry out these measures and in our case the mosquito doesn’t undermine the nose. But…
Actually, here begins the criticism of both the new document and the rest of the legislation in general.
The problems of 21 orders of the FSTEC are in general the same as those of many other legislative documents - the use of vague wording, the possibility of a double interpretation of the text, the lack of explanations where they are vital.
You can understand how carefully the document was prepared and how many times it was re-read and edited during these half a year by the fact that after the fourth paragraph, the order immediately takes the sixth ... Well, this is a nagging, but what is in essence?
Neponyatki begin with the classics of the genre, which stretches from time immemorial. Paragraph 2 of the document states that organizations licensed to technical protection of confidential information (TKKI) may be involved in carrying out work to protect PD.
This phrase wanders from the document into the FSTEC document for a long time, but that means “can” there is no definite answer. Naturally, smart integrators will interpret this as "they can attract third-party organizations if they themselves do not have a license for TZKI." Formally, they will be right, because if you dig in other regulations, it turns out that even banal installation of antivirus falls under TZKI, and there is no reservation in the licensing clause regarding TZKI that a license is not needed if it is for personal use. But operators do not like to throw money down the drain and, unfortunately, good integrators include common sense and interpret this proposal as “they can attract, but they can do it themselves”. This is the first place where it would not hurt to more specifically describe the conditions for attracting outside organizations.
We go further. Paragraph 3 tells us that PD security measures should be aimed at neutralizing current security threats. On the other hand, FZ-152 tells us that organizational and technical measures are used to fulfill the requirements for protecting PD. So after all, do we have freedom or another obligation? Again, clarification is needed.
Further. The sixth paragraph states that once every 3 years the operator, independently or with the assistance of outside organizations, should assess the effectiveness of the implemented PD protection measures. It happened as with the assessment of harm to the subject of personal data in 152-FZ. It turns out that it is necessary to conduct an assessment, but there is no methodology for such an assessment. Or maybe performance evaluation is a substitute for certification of an information system? Then why the operator can conduct it independently, without having a license for TZKI?
The tenth paragraph of the document is at first glance very promising, it says " If it is impossible to implement certain selected measures to ensure the security of personal data, as well as taking into account the economic feasibility, other steps may be developed at the stages of adapting the basic set of measures and / or refining the adapted basic set of measures (compensating) measures aimed at neutralizing current threats to the security of personal data . "
It would seem, here it is - refer to the economic inexpediency and do not buy any certified remedies. Well, immediately the following paragraph leads us out of the state of euphoria: "In this case, during the development of a personal data protection system, a justification should be made of applying compensatory measures to ensure the safety of personal data . "
In other words, just say “I’ve figured it out with the men and decided that it’s too expensive to install certified GIS and put a free Chinese antivirus on” will not work. It is necessary to show some pieces of paper, justifying the use of other measures, rather than basic ones. How to justify? For the time being, it only comes to my mind to conduct a risk analysis procedure according to ISO 27001, which, in case of hiring a third-party organization for these purposes, can in itself cost a pretty penny. Moreover, it’s not yet a fact that a risk analysis will show that it is not economically viable to implement certified GIS ...
Actually here we got to the main part of the document - an application with a list of measures. Here, too, is not so simple as we would like. It seems that the measures are divided into groups and conveniently numbered, it seems that convenient columns with pluses show whether this or that measure is conditionally mandatory in our case or not. But, all the same, after studying the table with measures, a feeling of uncertainty remains. Here, for example, paragraph four of the main text of the order no longer obliges, such as, to use only certified GIS. It's good. But the same clause does not directly say that non-certified GIS can be used or GIS is not used at all. This is how it sounds verbatim:
Measures to ensure the security of personal data are implemented , including through the use of information security tools in the information system, which pass the conformity assessment procedure in the prescribed manner in cases where the use of such tools is necessary to neutralize actual threats to the security of personal data.
At the same time, the first measure, conditionally mandatory for all levels of security, is: "Identification and authentication of users who are employees of the operator." It is clear that this measure can be implemented by regular means of any OS. And it seems like the fourth point does not oblige to use the same Secret Net or Dallas Lock, but where is the guarantee that the verifier does not come and say, “You all did not understand so, there must be a certified SZI, here is your prescription”? Who determines how and how - to neutralize a specific threat, does a certified MIS need to be done or can it be dispensed with? Why it is impossible to write directly that the use of certified GIS is not necessary, or is it necessary in some specific cases?
Well, the wording of the measures themselves is sometimes very interesting. For example, a conditional mandatory measure of protection of virtualization environments for levels of protection from the third and higher:
"The division of the virtual infrastructure into segments for the processing of personal data by an individual user and / or group of users."
How do you segment something? And what is the need? Of course, when refining or adapting a set of measures, we can throw this measure out of the list, but again, and if the verifier says “You did not understand everything so well ...”?
I very much hope that someday the FSTEC representatives will still provide official clarifications on controversial issues.
On the whole, FSTEC’s attempts to give more freedom to operators when choosing a personal data protection strategy are noticeable, but vagueness and ambiguity in formulations, combined with ambiguity of the regulator’s position in controversial points, make it wary.
What should the operators do now?
Those who have already defended their ISPD on the “old style”, slightly edit their documentation, bringing it in compliance with current legislation. In any case, most likely, your protection system will technically correspond to the new document, since the requirements were previously stricter.
The rest - to classify their ISPDn, build a model of threats, make a list of measures and, if possible, carry them out. Monitor all sorts of news related to explanations of regulators, the practice of conducting inspections, expert opinions and the general trend in the development of legislation in this area.
Why is the long-awaited? Yes, because since the issuance of the Government of the Russian Federation No. 1119 (November 1, 2012), any questions on the technical protection of personal data have been in an indefinite suspension. It turned out like this: the new decree canceled the old classes of personal data information systems (ISPDn) and introduced the concept of “ISPDn security levels”, but how and in what case should be protected in each particular case did the new order of FSTEC, which we waited for “some then "half a year.
Immediately after the publication of the new order, a wave of enthusiastic reviews of the new document was sent online. Like, this is a huge step forward in the field of legislation on the protection of personal data. To some extent, this is true (given that the previous documents were immediately outdated and did not take into account many of the nuances of the functioning of modern information systems - mobile platforms, virtualization, etc.), but personally I have a lot of complaints about the new document.
')
In this article I will try to analyze in simple language the FSTEC of Russia document, weigh its pros and cons, and also try to answer the question “what should personal data operators do now?”.
What is the whole document?
In general, this is indeed a step forward in terms of lawmaking in the field of personal data protection. Finally, in the list of measures, we saw the mention of mobile devices and virtualization tools, which the legislators used to carefully avoid. Finally, there is no obligation as in the past order: “If you have ISPD 1 class, you need to spend n money on information security tools, if 2 classes, then nm money, and if 3 classes, then nmk money.”.
Now the situation is this: we have 15 groups of different technical and organizational measures, in each group there are from 2 to 20 different measures, opposite to each measure it is noted whether this measure is basic (I will call them conditionally obligatory below) for a certain level of protection (if it is a plus, then the base measure, if not - compensating). Here it should be noted that there are quite a few measures in the list that can only be compensating, that is, they are not marked with an advantage for any of the four levels of security.
The personal data operator operates according to the following algorithm:
- determines the level of security of its ISPDN according to PP 1119;
- selects all measures that are marked with a plus for the selected level of protection (basic measures);
- removes from the resulting list measures that are related to technologies not used in SPDN (for example, remove measures to protect the virtual infrastructure, if the means of virtualization are not used);
- looks at the resulting list of measures and compares with actual threats in the threat model, if the selected measures neutralize not all actual threats, adds to the list compensating measures necessary to neutralize all remaining threats;
- adds to the received list the measures defined in other regulatory acts (for example, in PP No. 1119 there are a small number of measures, and also there are general requirements in the Federal Law-152), after which it receives a final list of measures to be performed;
- executes measures from the final list ...
It seems that everything is simple: we determine the level of security, draw a threat model, select and clarify measures from the new order of the FSTEC, carry out these measures and in our case the mosquito doesn’t undermine the nose. But…
A spoon of tar
Actually, here begins the criticism of both the new document and the rest of the legislation in general.
The problems of 21 orders of the FSTEC are in general the same as those of many other legislative documents - the use of vague wording, the possibility of a double interpretation of the text, the lack of explanations where they are vital.
You can understand how carefully the document was prepared and how many times it was re-read and edited during these half a year by the fact that after the fourth paragraph, the order immediately takes the sixth ... Well, this is a nagging, but what is in essence?
Neponyatki begin with the classics of the genre, which stretches from time immemorial. Paragraph 2 of the document states that organizations licensed to technical protection of confidential information (TKKI) may be involved in carrying out work to protect PD.
This phrase wanders from the document into the FSTEC document for a long time, but that means “can” there is no definite answer. Naturally, smart integrators will interpret this as "they can attract third-party organizations if they themselves do not have a license for TZKI." Formally, they will be right, because if you dig in other regulations, it turns out that even banal installation of antivirus falls under TZKI, and there is no reservation in the licensing clause regarding TZKI that a license is not needed if it is for personal use. But operators do not like to throw money down the drain and, unfortunately, good integrators include common sense and interpret this proposal as “they can attract, but they can do it themselves”. This is the first place where it would not hurt to more specifically describe the conditions for attracting outside organizations.
We go further. Paragraph 3 tells us that PD security measures should be aimed at neutralizing current security threats. On the other hand, FZ-152 tells us that organizational and technical measures are used to fulfill the requirements for protecting PD. So after all, do we have freedom or another obligation? Again, clarification is needed.
Further. The sixth paragraph states that once every 3 years the operator, independently or with the assistance of outside organizations, should assess the effectiveness of the implemented PD protection measures. It happened as with the assessment of harm to the subject of personal data in 152-FZ. It turns out that it is necessary to conduct an assessment, but there is no methodology for such an assessment. Or maybe performance evaluation is a substitute for certification of an information system? Then why the operator can conduct it independently, without having a license for TZKI?
The tenth paragraph of the document is at first glance very promising, it says " If it is impossible to implement certain selected measures to ensure the security of personal data, as well as taking into account the economic feasibility, other steps may be developed at the stages of adapting the basic set of measures and / or refining the adapted basic set of measures (compensating) measures aimed at neutralizing current threats to the security of personal data . "
It would seem, here it is - refer to the economic inexpediency and do not buy any certified remedies. Well, immediately the following paragraph leads us out of the state of euphoria: "In this case, during the development of a personal data protection system, a justification should be made of applying compensatory measures to ensure the safety of personal data . "
In other words, just say “I’ve figured it out with the men and decided that it’s too expensive to install certified GIS and put a free Chinese antivirus on” will not work. It is necessary to show some pieces of paper, justifying the use of other measures, rather than basic ones. How to justify? For the time being, it only comes to my mind to conduct a risk analysis procedure according to ISO 27001, which, in case of hiring a third-party organization for these purposes, can in itself cost a pretty penny. Moreover, it’s not yet a fact that a risk analysis will show that it is not economically viable to implement certified GIS ...
Actually here we got to the main part of the document - an application with a list of measures. Here, too, is not so simple as we would like. It seems that the measures are divided into groups and conveniently numbered, it seems that convenient columns with pluses show whether this or that measure is conditionally mandatory in our case or not. But, all the same, after studying the table with measures, a feeling of uncertainty remains. Here, for example, paragraph four of the main text of the order no longer obliges, such as, to use only certified GIS. It's good. But the same clause does not directly say that non-certified GIS can be used or GIS is not used at all. This is how it sounds verbatim:
Measures to ensure the security of personal data are implemented , including through the use of information security tools in the information system, which pass the conformity assessment procedure in the prescribed manner in cases where the use of such tools is necessary to neutralize actual threats to the security of personal data.
At the same time, the first measure, conditionally mandatory for all levels of security, is: "Identification and authentication of users who are employees of the operator." It is clear that this measure can be implemented by regular means of any OS. And it seems like the fourth point does not oblige to use the same Secret Net or Dallas Lock, but where is the guarantee that the verifier does not come and say, “You all did not understand so, there must be a certified SZI, here is your prescription”? Who determines how and how - to neutralize a specific threat, does a certified MIS need to be done or can it be dispensed with? Why it is impossible to write directly that the use of certified GIS is not necessary, or is it necessary in some specific cases?
Well, the wording of the measures themselves is sometimes very interesting. For example, a conditional mandatory measure of protection of virtualization environments for levels of protection from the third and higher:
"The division of the virtual infrastructure into segments for the processing of personal data by an individual user and / or group of users."
How do you segment something? And what is the need? Of course, when refining or adapting a set of measures, we can throw this measure out of the list, but again, and if the verifier says “You did not understand everything so well ...”?
I very much hope that someday the FSTEC representatives will still provide official clarifications on controversial issues.
Instead of a resume
On the whole, FSTEC’s attempts to give more freedom to operators when choosing a personal data protection strategy are noticeable, but vagueness and ambiguity in formulations, combined with ambiguity of the regulator’s position in controversial points, make it wary.
What should the operators do now?
Those who have already defended their ISPD on the “old style”, slightly edit their documentation, bringing it in compliance with current legislation. In any case, most likely, your protection system will technically correspond to the new document, since the requirements were previously stricter.
The rest - to classify their ISPDn, build a model of threats, make a list of measures and, if possible, carry them out. Monitor all sorts of news related to explanations of regulators, the practice of conducting inspections, expert opinions and the general trend in the development of legislation in this area.
Source: https://habr.com/ru/post/180623/
All Articles