PD protection in small, medium and large organizations. Is it all smooth?
If you look at overseas countries and their approach to personal data protection, we can see some difference with Russia, namely:
Take the Russian state, yet done the opposite. On this subject, I would like to write this article "about what he saw."
Any material made to the reader, at least somehow classifying information, that is, breaking it into sections, chapters, etc. I would like to convey to the reader the opinion formed as a result of the implementation of projects on personal data. The essence of the problem lies in the fact that in Russia the law on personal data (hereinafter referred to as PD) is simply a burden for everyone, moreover, for a company, for its employee or client. Companies need to protect their personal data independently or with the assistance of a competent organization, teach workers how to work with them, force clients to sign another piece of paper stating that they agree to transfer them to storage and processing. As a result, some problems and rules that must be followed.
A typical PD project is carried out in 4 global phases:
')
These stages are often divided into sub-steps in order to better understand the picture. This is done mainly for the customer. In this section I would like to touch on stage number 2.
On the part of an internal worker. Any project on PD, if it is done from scratch, involves writing a large pile of pieces of paper that regulate the work with these PDs. In addition, typical processing consent forms, agreements with counterparties, etc. And here the Russian approach leaves its mark: the pieces of paper are printed out and lie on a shelf until the controlling authority comes and checks them. Why is this done:
From the client. The overwhelming majority of people are not aware of the law governing the protection of PD, and do not think when they are handed over to any person to receive any services. There are many examples: online shopping, ordering food for the home, etc. Only after this BOOM passed, a certain part of the population began to think about it. But when the time comes “My passport got to the main one in Google,” or “my wife found out that I was on a business trip to another hotel,” the person begins to think. In other cases, we are faced with the following:
As a result, the developed set of documents, in which the rules for working with PDs are written, which will prevent their leakage, does not work. Making them work can only be a responsible person, for example, an information security specialist in the same company, but since most of the companies do not have such people (small and medium-sized organizations), the whole responsibility lies with the person who “communicates” with the computer best of all. , good results can not be expected.
It's all much more complicated. let's divide the project for the large company, average and for the small organization.
From a technical point of view, everything is simple. Basically, the entire infrastructure is built on Windows, a maximum of 1 server for 1C, and several workstations. Information security tools (hereinafter referred to as GIS) are rolled up and adjusted quickly, problems usually do not arise. That is, at this stage from a technical point of view, everything is fine. Next is the process of learning how to work with GIS data. If you do not take the identification / authentication mechanisms, the work turns into hell. An employee in most cases perceives very negatively changes in his work, especially if it is related to technology. As a result, we get:
In conclusion: organizational and technical measures are implemented, employees are trained, PD are NOT protected .
Everything is more complicated. Formed IT department or full-time system administrator. In exceptional cases, there is a safe. The infrastructure is configured. This is where the problem begins. The introduction of SZI, valid from the point of view of regulatory authorities, is the restructuring of the current infrastructure. Usually, in such cases, ISPDN is separated into a separate segment and protected separately, so as not to affect the overall architecture and the coordinated work of the company. In this case, SZI has someone to administer, and this is an undoubted bonus. Again, employees are not thrilled that something is changing in their work, and the implementation of organizational protection measures goes to the background. Control over their implementation is assigned to IT-specialists, who, in turn, are busy with more important things. As a result, we obtain:
In conclusion: organizational and technical measures are implemented, employees are trained, PD are NOT protected .
It's even more interesting. IT department, security department, distributed information system, virtualization, a large number of corporate services, etc. Usually everything is protected by the mind, encryption, protection by all the rules and best practices. Here and so everything is protected for good, but there is the word "certification". This all spoils. Here you can write an article about each project, do not let it go under one template. But in the end, and with the organizational part and with the technical, everything is fine. Responsible employees do their jobs. Users are trained, the process is controlled.
As a result, we obtain:
In conclusion: organizational and technical measures implemented, staff trained, PD protected .
In conclusion, I want to say. The protection of personal data is a good and necessary work, if done correctly. But taking into account our realities, for small and medium businesses this does not bring any results, only a waste of money. Again, I’m talking about most organizations, but I haven’t met a small business that is doing well with PD. I am not saying that it is not necessary to protect PD, but the approach should be different.
- the population is worried when they transfer their data to any company;
- the protection of personal data is not based on the principle “just not to get to the bottom”;
- Companies with full responsibility and understanding spend money on various IT systems, on staff training, on updating and revising information security threats and risks.
Take the Russian state, yet done the opposite. On this subject, I would like to write this article "about what he saw."
Introduction
Any material made to the reader, at least somehow classifying information, that is, breaking it into sections, chapters, etc. I would like to convey to the reader the opinion formed as a result of the implementation of projects on personal data. The essence of the problem lies in the fact that in Russia the law on personal data (hereinafter referred to as PD) is simply a burden for everyone, moreover, for a company, for its employee or client. Companies need to protect their personal data independently or with the assistance of a competent organization, teach workers how to work with them, force clients to sign another piece of paper stating that they agree to transfer them to storage and processing. As a result, some problems and rules that must be followed.
Organizational part
A typical PD project is carried out in 4 global phases:
')
- Survey.
- Development of ORD.
- Development of a security system.
- Implementation.
These stages are often divided into sub-steps in order to better understand the picture. This is done mainly for the customer. In this section I would like to touch on stage number 2.
On the part of an internal worker. Any project on PD, if it is done from scratch, involves writing a large pile of pieces of paper that regulate the work with these PDs. In addition, typical processing consent forms, agreements with counterparties, etc. And here the Russian approach leaves its mark: the pieces of paper are printed out and lie on a shelf until the controlling authority comes and checks them. Why is this done:
- The worker does not understand why he needs these papers.
- When learning, this is forgotten after a month, since nobody observes the fulfillment of instructions.
- Responsibility for disclosure ... ridiculous.
- The management has ticked off that “PD is protected”, it means there is no problem and you don’t need to think about it.
From the client. The overwhelming majority of people are not aware of the law governing the protection of PD, and do not think when they are handed over to any person to receive any services. There are many examples: online shopping, ordering food for the home, etc. Only after this BOOM passed, a certain part of the population began to think about it. But when the time comes “My passport got to the main one in Google,” or “my wife found out that I was on a business trip to another hotel,” the person begins to think. In other cases, we are faced with the following:
- Lack of interest in understanding what is done with PD, where they are transferred.
- Do not protect, well, not necessary.
- Sign the “PD transfer agreement”. What for? For what?
- Calm, until everything is calm and panic, when PD leaked.
As a result, the developed set of documents, in which the rules for working with PDs are written, which will prevent their leakage, does not work. Making them work can only be a responsible person, for example, an information security specialist in the same company, but since most of the companies do not have such people (small and medium-sized organizations), the whole responsibility lies with the person who “communicates” with the computer best of all. , good results can not be expected.
Technical part
It's all much more complicated. let's divide the project for the large company, average and for the small organization.
Small organization
From a technical point of view, everything is simple. Basically, the entire infrastructure is built on Windows, a maximum of 1 server for 1C, and several workstations. Information security tools (hereinafter referred to as GIS) are rolled up and adjusted quickly, problems usually do not arise. That is, at this stage from a technical point of view, everything is fine. Next is the process of learning how to work with GIS data. If you do not take the identification / authentication mechanisms, the work turns into hell. An employee in most cases perceives very negatively changes in his work, especially if it is related to technology. As a result, we get:
- SZI installed, configured, but no one uses them.
- The main work of the employee is complicated by work with SZI.
- SZI data should be served by someone, and usually there is no such person.
In conclusion: organizational and technical measures are implemented, employees are trained, PD are NOT protected .
Medium Organizations
Everything is more complicated. Formed IT department or full-time system administrator. In exceptional cases, there is a safe. The infrastructure is configured. This is where the problem begins. The introduction of SZI, valid from the point of view of regulatory authorities, is the restructuring of the current infrastructure. Usually, in such cases, ISPDN is separated into a separate segment and protected separately, so as not to affect the overall architecture and the coordinated work of the company. In this case, SZI has someone to administer, and this is an undoubted bonus. Again, employees are not thrilled that something is changing in their work, and the implementation of organizational protection measures goes to the background. Control over their implementation is assigned to IT-specialists, who, in turn, are busy with more important things. As a result, we obtain:
- GIS installed, configured, in most cases, administered.
- The main work of the employee is complicated by work with SZI.
- ISPDn does not destroy the current infrastructure.
In conclusion: organizational and technical measures are implemented, employees are trained, PD are NOT protected .
Large organizations
It's even more interesting. IT department, security department, distributed information system, virtualization, a large number of corporate services, etc. Usually everything is protected by the mind, encryption, protection by all the rules and best practices. Here and so everything is protected for good, but there is the word "certification". This all spoils. Here you can write an article about each project, do not let it go under one template. But in the end, and with the organizational part and with the technical, everything is fine. Responsible employees do their jobs. Users are trained, the process is controlled.
As a result, we obtain:
- SZI installed, configured, administered.
- The main work of the employee is complicated by work with SZI.
- ISPDn does not destroy the current infrastructure.
- Organizational measures are carried out according to the instructions and regulations.
In conclusion: organizational and technical measures implemented, staff trained, PD protected .
Conclusion
In conclusion, I want to say. The protection of personal data is a good and necessary work, if done correctly. But taking into account our realities, for small and medium businesses this does not bring any results, only a waste of money. Again, I’m talking about most organizations, but I haven’t met a small business that is doing well with PD. I am not saying that it is not necessary to protect PD, but the approach should be different.
Source: https://habr.com/ru/post/204316/
All Articles