Documents for the protection of personal data. Fighting with freeloaders
This article is devoted to various types of services for automatic generation of a set of internal documents of an organization for the protection of personal data based on some information entered by the user. Frankly, initially it was an angry post. The irritation was caused by the information received through personal channels that representatives of one of these services go to the chief doctors of medical institutions of the city where I live, and frighten the prosecutor's office and punishment for violating the law On Personal Data in case of refusing to subscribe to such service . But a case intervened - in the process of writing an article, urgent matters arose. And all finished at the time of writing was sent to drafts for a week. During this time, the steam has been slightly released and now I will try to calmly explain why such services will not ensure the proper quality of the internal documentation for the protection of personal data, talk about other problems of such portals and at the end give a link to some hodgepodge of the same documents.
Problem number 1.
Here, probably, we should immediately start with examples.
On one of the sites on the very first page it is written that the maximum penalty for violation of the rules for processing personal data is 300,000 rubles. It is not true. At the moment, the article of the Administrative Code of the Russian Federation 13.11 provides for a maximum fine for legal entities - 10 thousand rubles. Here, apparently, we are talking about the bill number 683952-6, which provides for the expansion of article 13.11 of the Administrative Code, and does increase the maximum fine to 300,000 rubles, but the bill passed the first reading last autumn and was suspended. And whether it will be finally adopted is unknown. Conclusion: the authors of the site are either not aware of the situation, or are intentionally trying to exploit the feeling of fear of huge fines, which is also not good.
')
The second example: another service solemnly promises the successful completion of any inspection of any regulatory authorities in the field of personal data protection with their documents. First, the service does not generate such an important document as the “Threat Model”, which even the Roskomnadzor needs to be shown and without its presence, even a documentary test cannot be successfully passed. Secondly, the FSTEC and the FSB are far from checking only the pieces of paper. Thirdly, I already wrote in my old article that in some regions (not all) the cane system operates and it is not possible to successfully pass the test, no matter how well we prepare for it.
Of course, almost all services for the preparation of a set of documents will tell you about flexible personalization of a set of documents for you, but this statement could well be cited as the third example of problem No. 1.
Honestly, I myself wrote a similar “fill-in” of templates in Java, but somehow I didn’t get used to it, the most that can be done is to automatically enter the name of the organization and other frequently repeated things in documents. And here's why - if the goal is to write high-quality documentation, then you will have to write it with your hands taking into account all the specifics of both the organization’s business processes and the features of the IT platform on which the personal data information system is built. At my work, as a rule, this is exactly the task, and to whom it is necessary to “get rid of the check”, we give the following set of templates. Is free. But here it must be remembered that the regulators are also not standing still, and it is becoming more and more difficult to go through the test with a set of sample, not adapted documents of seven years ago.
Let me explain why the development of a complete and useful set of documents "fillers" templates will not help. Take, for example, the important and useful document “Security Administrator’s Guide”. Of course, when a document is made for a tick, a lot of water is written in it and quite a bit of specifics. In case we make a full document, we need to describe all the duties and actions of the security administrator, depending on the conditions of the personal data information system. And here it turns out that a huge number of factors affect the content of the document:
- is virtualization used?
- used mobile tools?
- backup, by what means it is made, with what frequency, where are backups stored?
- etc. etc.
Of course, you can try to take all this into account in the template, but then the service users will have to collect and enter a huge amount of data, which is contrary to the principle of “simple and easy, just pay the money.”
All that can be done tolerably is a “fill in” of the templates: various orders on the appointment of responsible persons or any commissions. As soon as the issues related to business processes or features of the IT infrastructure begin, problems begin.
In part, the problem echoes the previous one, but if in problem No. 2 it was more about the features of automated filling, then it’s about the text of the templates that is not subject to change. Nakosyachit manage in the most simple instructions.
Example. Usually in the information system, two persons responsible for the protection of personal data are assigned - the person responsible for organizing personal data (more for organizational matters) and the information security administrator (for technical matters - setting protection means, etc.). Accordingly, these roles are usually reduced as - "Responsible" and "Administrator". So, one of the services called these two friends as “responsible for organizing the processing of personal data” and “responsible for ensuring the security of personal data”, reduced them, as you probably already guessed as “Responsible” and (suddenly!) “Responsible”. In the order on the appointment of these responsible no trick is felt, the tin begins when the authors of the documents begin to describe the interaction of these two different people, it turns out something like "Responsible for Responsible and Responsible Chases".
Oddly enough, services that are designed to improve information security themselves raise a number of questions, ranging from the banal lack of encryption when sending forms with confidential data, ending how this data is stored on the service, how physical access to servers is organized, and much more. At the same time, we remember that so far services work on the principle of “easy and simple” and do not collect a large amount of information, but they can also “improve”. But nevertheless, at least the personal data of the responsible and members of various commissions, as well as basic data on the information system will have to be provided.
I am convinced that selling blanks of documents, even with the sauce of automatic template filler for money, is the last century. I am convinced that bullying potential customers and deceiving them is a dead-end marketing model. The cost of subscription for such services ranges from 10 to 50 thousand rubles a year. For this money, you can attract a specialist who will prepare a high-quality set with a full audit of business processes and IT infrastructure (yes, an experienced specialist can agree to work even for 10 thousand rubles during a crisis). But if the choice fell on the templates, then I don’t see any sense in paying for it. In addition, various documents can be quite free to google. As I promised, to simplify this task, I laid out a selection here .
Problem number 1. Mislead the client Lies
Here, probably, we should immediately start with examples.
On one of the sites on the very first page it is written that the maximum penalty for violation of the rules for processing personal data is 300,000 rubles. It is not true. At the moment, the article of the Administrative Code of the Russian Federation 13.11 provides for a maximum fine for legal entities - 10 thousand rubles. Here, apparently, we are talking about the bill number 683952-6, which provides for the expansion of article 13.11 of the Administrative Code, and does increase the maximum fine to 300,000 rubles, but the bill passed the first reading last autumn and was suspended. And whether it will be finally adopted is unknown. Conclusion: the authors of the site are either not aware of the situation, or are intentionally trying to exploit the feeling of fear of huge fines, which is also not good.
')
The second example: another service solemnly promises the successful completion of any inspection of any regulatory authorities in the field of personal data protection with their documents. First, the service does not generate such an important document as the “Threat Model”, which even the Roskomnadzor needs to be shown and without its presence, even a documentary test cannot be successfully passed. Secondly, the FSTEC and the FSB are far from checking only the pieces of paper. Thirdly, I already wrote in my old article that in some regions (not all) the cane system operates and it is not possible to successfully pass the test, no matter how well we prepare for it.
Problem number 2. The lack of individualization
Of course, almost all services for the preparation of a set of documents will tell you about flexible personalization of a set of documents for you, but this statement could well be cited as the third example of problem No. 1.
Honestly, I myself wrote a similar “fill-in” of templates in Java, but somehow I didn’t get used to it, the most that can be done is to automatically enter the name of the organization and other frequently repeated things in documents. And here's why - if the goal is to write high-quality documentation, then you will have to write it with your hands taking into account all the specifics of both the organization’s business processes and the features of the IT platform on which the personal data information system is built. At my work, as a rule, this is exactly the task, and to whom it is necessary to “get rid of the check”, we give the following set of templates. Is free. But here it must be remembered that the regulators are also not standing still, and it is becoming more and more difficult to go through the test with a set of sample, not adapted documents of seven years ago.
Let me explain why the development of a complete and useful set of documents "fillers" templates will not help. Take, for example, the important and useful document “Security Administrator’s Guide”. Of course, when a document is made for a tick, a lot of water is written in it and quite a bit of specifics. In case we make a full document, we need to describe all the duties and actions of the security administrator, depending on the conditions of the personal data information system. And here it turns out that a huge number of factors affect the content of the document:
- is virtualization used?
- used mobile tools?
- backup, by what means it is made, with what frequency, where are backups stored?
- etc. etc.
Of course, you can try to take all this into account in the template, but then the service users will have to collect and enter a huge amount of data, which is contrary to the principle of “simple and easy, just pay the money.”
All that can be done tolerably is a “fill in” of the templates: various orders on the appointment of responsible persons or any commissions. As soon as the issues related to business processes or features of the IT infrastructure begin, problems begin.
Problem number 3. Questionable quality of the documents themselves
In part, the problem echoes the previous one, but if in problem No. 2 it was more about the features of automated filling, then it’s about the text of the templates that is not subject to change. Nakosyachit manage in the most simple instructions.
Example. Usually in the information system, two persons responsible for the protection of personal data are assigned - the person responsible for organizing personal data (more for organizational matters) and the information security administrator (for technical matters - setting protection means, etc.). Accordingly, these roles are usually reduced as - "Responsible" and "Administrator". So, one of the services called these two friends as “responsible for organizing the processing of personal data” and “responsible for ensuring the security of personal data”, reduced them, as you probably already guessed as “Responsible” and (suddenly!) “Responsible”. In the order on the appointment of these responsible no trick is felt, the tin begins when the authors of the documents begin to describe the interaction of these two different people, it turns out something like "Responsible for Responsible and Responsible Chases".
Problem number 4. Security
Oddly enough, services that are designed to improve information security themselves raise a number of questions, ranging from the banal lack of encryption when sending forms with confidential data, ending how this data is stored on the service, how physical access to servers is organized, and much more. At the same time, we remember that so far services work on the principle of “easy and simple” and do not collect a large amount of information, but they can also “improve”. But nevertheless, at least the personal data of the responsible and members of various commissions, as well as basic data on the information system will have to be provided.
What is this all about?
I am convinced that selling blanks of documents, even with the sauce of automatic template filler for money, is the last century. I am convinced that bullying potential customers and deceiving them is a dead-end marketing model. The cost of subscription for such services ranges from 10 to 50 thousand rubles a year. For this money, you can attract a specialist who will prepare a high-quality set with a full audit of business processes and IT infrastructure (yes, an experienced specialist can agree to work even for 10 thousand rubles during a crisis). But if the choice fell on the templates, then I don’t see any sense in paying for it. In addition, various documents can be quite free to google. As I promised, to simplify this task, I laid out a selection here .
Source: https://habr.com/ru/post/280149/
All Articles