A tale about a white bull or how to stay invisible behind glass
In its development, mankind goes further and further - much of what seemed to be fantasy 100 years ago has already become a reality. If under Ivan the Terrible it was enough to ask: “Who are you from, how old are you, are you married or not?” - then modern boyars do not answer such questions to everyone they meet, such information about themselves was called “personal data”, and for disclosing on a stake and not planted, then they can hold a jail.
It is difficult to imagine a company that does not have any personal data, which include:
telephone books, statements of financial statements, lists of employees, etc. All data are classified according to the degree of confidentiality. If the company provides data on employees to the Pension Fund, then it automatically has the data of the highest category - these are salary statements indicating the full name, information on the social status of the employee, disability, marital status, number of children, etc.
')
Every person has the right to privacy, which is regulated by the “Convention for the Protection of Individuals with Automated Processing of Personal Data”, which was approved in 1981 by the European Commission in Strasbourg (the law on ratification of the Convention in Russia No. 160-FZ). However, automated data processing - the maintenance of databases, registries - the realities of today. The one who owns the personal data and ensures their storage becomes the data operator. The status of a data operator for a legal entity means the presence of a certain degree of responsibility regulated by laws and by-laws. First of all, the law 152-FZ, as well as by-laws of departments - the Ministry of Communications, Roskomnadzor, FSTEC, the FSB.
All data operators are entered in the register of Roskomnadzor (pd.rsoc.ru), on the website you can find out the date of the inspection, the planned agency.
The state has long been puzzled by the problem of recording in a single system all personal data about a person, including linking to bank accounts. Now, for example, our state is actively lobbying for a project to create a universal electronic card - an electronic digital document with the personal data of the owner, including the possibility of keeping money on it.
The provision that our data is closed for access is very conditional. Thus, according to Interfax, citing statistics from InfoWatch, the number of personal data leaks in our country in just one 2013 doubled and amounted to 109 cases. That is, in fact, the data of 109 companies simply floated away into the vastness of the Internet, compromising 3 million records.
Often the blame for the loss of personal data lies with the heads of departments responsible for data storage. From Interfax statistics: in 5 cases out of 10 data was lost through the Internet.
Starting this year, the Ministry of Communications and Mass Media wants to toughen penalties for violating the rules for processing personal data . Now the appearance of personal data of citizens in open access will cost data operators 300 thousand rubles, for comparison, the previous penalty was 10 thousand rubles.
Fines are being increased for processing special categories of personal data about political convictions, medical information, criminal records.
The task of the legal entity - the data operator - in creating the information storage system, take the first step - the organizational one, ensure the workflow - create the necessary documents allowing the processing of data. The second step is to provide the necessary IT system architecture. The most important measures to prevent data loss are, of course, technical measures that involve the use of certified information security tools.
How complex the software architecture will be depends on the degree of data privacy.
There are four categories of personal data, ascending the level of confidentiality from K4 to K1:
K4 - impersonal data. The data operator of category K4 has the right to choose technological solutions independently, the presence of the FSTEC certificate is not necessary.
K1 - data that must not only be protected, but also encrypted. Software must be certified by FSTEC, cryptography systems (if any) are approved by the FSB.
So if for data protection of the lowest category - K4 - it is enough to ensure only data integrity, then for data of category K1 - a complete data protection complex (often, including encryption and data leakage prevention).
An exhaustive list of software functions required by the database operator is as follows:
1. Protection against unauthorized access
2. Anti-virus
3. The firewall
4. Cryptographic tools (for large companies where data leakage is possible)
and other protective mechanisms (you can watch the guidance document of the FSTEC "Basic measures for the organization and technical security of personal data processed in personal data information systems").
All computers on the network from which personal data is being processed must be certified and contain software certified by the FSTEC (Federal Service for Technical and Export Control), and the network itself must be protected by a certified firewall.
Small firms, as a rule, use non-certified software with which the firewall works without the FSTEC certificate (Traffic Inspector Gold).
Firewalls The corporate network as a whole and each individual workplace must be protected not only from mass attacks with the help of viruses, but also from targeted network attacks. To do this, it is enough to install a system for blocking unused network protocols and services, which is what the firewall does. Often, the functionality of the organization of virtual private networks - VPN is added to the functionality of firewalls.
For a larger company, in order to reduce the costs of certification and procurement of certified software, all work with personal data is usually carried out in a separate network and closed with a firewall ( Traffic Inspector FSTEC ) - a system for blocking unused network protocols and services. The firewall protects each individual workplace and corporate network entirely not only from massive attacks with the help of viruses, but also from targeted network attacks. To the functionality of the firewall added means of organizing virtual private networks - VPN.
The Traffic Inspector provides access to the Network through a proxy server as well as through NAT (“network process conversion”). The advantages of sharing NAT and a proxy server are obvious: NAT is a universal way of providing access to the Internet and also allows anonymizing traffic; proxy server - sends web requests through itself, protecting the system from unwanted information.
Software that allows you to configure the IT-architecture that can protect the system with personal data includes: providing access to the Network; firewall and antivirus, checking checksums of IP packets, length of IP packets, filtering "broken" packets.
Any software installed in the company must be properly approved in the special documentation:
1.List of personal data protection tools
2. Logging and storage of personal data carriers
3.Act of installation of information security tools
4. Approved form of the act of writing off and destruction of electronic media
5. The approved form of the act of destruction of documents
6.Signed agreements on non-disclosure of personal data with third parties (organizations) or relevant clauses in contracts and agreements (especially for cross-border data transmission).
If the organization is changing software or hardware, then information about this in these documents is necessarily displayed.
Let's sum up. A legal entity operating with personal data (impersonal) or client data automatically becomes a data operator. Now in any organization there is a risk of violations in the processing and storage of personal data, both when storing data on paper or electronic media, and in automated processing. The measures taken by the legal entity to ensure the security of personal data when they are processed in information systems are evaluated during state control. Therefore, firstly, determine which class of data you are operating on (if you transfer information to the PF, it means high-class K1). Second, provide your system with a certified firewall. Third, look at the websites of Roskomnadzor and the FSTEC of Russia, where lists of scheduled inspections for compliance with the Federal Law 152 are published.
It is difficult to imagine a company that does not have any personal data, which include:
telephone books, statements of financial statements, lists of employees, etc. All data are classified according to the degree of confidentiality. If the company provides data on employees to the Pension Fund, then it automatically has the data of the highest category - these are salary statements indicating the full name, information on the social status of the employee, disability, marital status, number of children, etc.
')
Every person has the right to privacy, which is regulated by the “Convention for the Protection of Individuals with Automated Processing of Personal Data”, which was approved in 1981 by the European Commission in Strasbourg (the law on ratification of the Convention in Russia No. 160-FZ). However, automated data processing - the maintenance of databases, registries - the realities of today. The one who owns the personal data and ensures their storage becomes the data operator. The status of a data operator for a legal entity means the presence of a certain degree of responsibility regulated by laws and by-laws. First of all, the law 152-FZ, as well as by-laws of departments - the Ministry of Communications, Roskomnadzor, FSTEC, the FSB.
All data operators are entered in the register of Roskomnadzor (pd.rsoc.ru), on the website you can find out the date of the inspection, the planned agency.
The state has long been puzzled by the problem of recording in a single system all personal data about a person, including linking to bank accounts. Now, for example, our state is actively lobbying for a project to create a universal electronic card - an electronic digital document with the personal data of the owner, including the possibility of keeping money on it.
The provision that our data is closed for access is very conditional. Thus, according to Interfax, citing statistics from InfoWatch, the number of personal data leaks in our country in just one 2013 doubled and amounted to 109 cases. That is, in fact, the data of 109 companies simply floated away into the vastness of the Internet, compromising 3 million records.
Often the blame for the loss of personal data lies with the heads of departments responsible for data storage. From Interfax statistics: in 5 cases out of 10 data was lost through the Internet.
Starting this year, the Ministry of Communications and Mass Media wants to toughen penalties for violating the rules for processing personal data . Now the appearance of personal data of citizens in open access will cost data operators 300 thousand rubles, for comparison, the previous penalty was 10 thousand rubles.
Fines are being increased for processing special categories of personal data about political convictions, medical information, criminal records.
The task of the legal entity - the data operator - in creating the information storage system, take the first step - the organizational one, ensure the workflow - create the necessary documents allowing the processing of data. The second step is to provide the necessary IT system architecture. The most important measures to prevent data loss are, of course, technical measures that involve the use of certified information security tools.
How complex the software architecture will be depends on the degree of data privacy.
There are four categories of personal data, ascending the level of confidentiality from K4 to K1:
K4 - impersonal data. The data operator of category K4 has the right to choose technological solutions independently, the presence of the FSTEC certificate is not necessary.
K1 - data that must not only be protected, but also encrypted. Software must be certified by FSTEC, cryptography systems (if any) are approved by the FSB.
So if for data protection of the lowest category - K4 - it is enough to ensure only data integrity, then for data of category K1 - a complete data protection complex (often, including encryption and data leakage prevention).
An exhaustive list of software functions required by the database operator is as follows:
1. Protection against unauthorized access
2. Anti-virus
3. The firewall
4. Cryptographic tools (for large companies where data leakage is possible)
and other protective mechanisms (you can watch the guidance document of the FSTEC "Basic measures for the organization and technical security of personal data processed in personal data information systems").
All computers on the network from which personal data is being processed must be certified and contain software certified by the FSTEC (Federal Service for Technical and Export Control), and the network itself must be protected by a certified firewall.
Small firms, as a rule, use non-certified software with which the firewall works without the FSTEC certificate (Traffic Inspector Gold).
Firewalls The corporate network as a whole and each individual workplace must be protected not only from mass attacks with the help of viruses, but also from targeted network attacks. To do this, it is enough to install a system for blocking unused network protocols and services, which is what the firewall does. Often, the functionality of the organization of virtual private networks - VPN is added to the functionality of firewalls.
For a larger company, in order to reduce the costs of certification and procurement of certified software, all work with personal data is usually carried out in a separate network and closed with a firewall ( Traffic Inspector FSTEC ) - a system for blocking unused network protocols and services. The firewall protects each individual workplace and corporate network entirely not only from massive attacks with the help of viruses, but also from targeted network attacks. To the functionality of the firewall added means of organizing virtual private networks - VPN.
The Traffic Inspector provides access to the Network through a proxy server as well as through NAT (“network process conversion”). The advantages of sharing NAT and a proxy server are obvious: NAT is a universal way of providing access to the Internet and also allows anonymizing traffic; proxy server - sends web requests through itself, protecting the system from unwanted information.
Software that allows you to configure the IT-architecture that can protect the system with personal data includes: providing access to the Network; firewall and antivirus, checking checksums of IP packets, length of IP packets, filtering "broken" packets.
Any software installed in the company must be properly approved in the special documentation:
1.List of personal data protection tools
2. Logging and storage of personal data carriers
3.Act of installation of information security tools
4. Approved form of the act of writing off and destruction of electronic media
5. The approved form of the act of destruction of documents
6.Signed agreements on non-disclosure of personal data with third parties (organizations) or relevant clauses in contracts and agreements (especially for cross-border data transmission).
If the organization is changing software or hardware, then information about this in these documents is necessarily displayed.
Let's sum up. A legal entity operating with personal data (impersonal) or client data automatically becomes a data operator. Now in any organization there is a risk of violations in the processing and storage of personal data, both when storing data on paper or electronic media, and in automated processing. The measures taken by the legal entity to ensure the security of personal data when they are processed in information systems are evaluated during state control. Therefore, firstly, determine which class of data you are operating on (if you transfer information to the PF, it means high-class K1). Second, provide your system with a certified firewall. Third, look at the websites of Roskomnadzor and the FSTEC of Russia, where lists of scheduled inspections for compliance with the Federal Law 152 are published.
Source: https://habr.com/ru/post/231267/
All Articles