FZ-152, the new year and the problems of poor customers
In connection with the approach of the starting point for new checks and requisitions - this time not only about software licensing, but also in connection with the protection of personal data - you have to carefully re-read the scanty regulatory framework for this case. Already starting with the FZ-152 (although a surprisingly toothless document, but here they managed to put a mousetrap), an interesting one is revealed.
Thus, Article 25, paragraph 3. states that “Information systems for personal data created prior to the effective date of this Federal Law shall be brought into compliance with the requirements of this Federal Law no later than January 1, 2010” . The law came into force at the very beginning of 2007. About the IP, created AFTER its entry into force, the text of the law says nothing. And this, for example, in the interpretation of “competent authorities” may mean that by default all IPs created in 2007, 2008 and 2009 should initially comply with this law. Type "you were warned." Does this mean that not just systems implemented at enterprises, but solutions released by developers must be certified one way or another for compliance with FZ-152 - it is still unknown. And it will be known not earlier than the first checks - then we will see from the results, what interpretation the reviewers will choose. Legal vulnerability is here, I think.
We go further. Not all over the past three years have introduced new solutions. And with the old zoo - welcome to the registration of personal data operators. At the same time, as follows from the “order for three”, p. 17: “In the case of the allocation of subsystems in the information system, each of which is an information system, the information system is generally assigned a class corresponding to the highest class of subsystems included in it” . Then a red poster with a Red Army soldier comes in vividly, threateningly asking “Have you already classified your IP?” From the same order No. 55/86/20 p.6 read: “The following categories of personal data processed in the information system (Xpr) are determined:
- category 1 - personal data relating to race, nationality, political views, religious and philosophical beliefs, health status, intimate life;
- category 2 - personal data, which allows to identify the subject of personal data and obtain additional information about it, with the exception of personal data belonging to category 1 ” .
Do you like category 2? I am very. If desired, under the "additional information" you can fit anything. Do you have employee addresses in the database? That's great, but why then the software is not certified to the appropriate category?
')
Dealing with old systems, subsystems, their categories and questions of their certification is a real bump. In addition, as is completely understandable, the main operators of personal data of a high category are state institutions and financial structures. Financiers, I think, somehow cope. But how state employees will get out, especially when there is a hole in the budget - this is a very interesting question. Beer checkers, as you know, don't care about explanations - they want to see a piece of paper that says in black and white that the installed software meets the requirements of the party and the government. And preferably one piece of paper for all. And if you have 25 pieces of paper for each component, it will take you 25 longer to figure it out. And, according to the Code of Administrative Offenses, with the rosy prospect of confiscation of improperly designed information security tools. Together with the server, yeah.
In this scenario, it seems natural that in two years developers and integrators had to push in and let in solutions for sufferers to meet before January 1, 2010. And just to certify new solutions under Federal Law 152 and the relevant regulatory documents. In practice, it turns out - nothing of the kind! Of course, the components are fully certified. The solution is - well, so that both the server and the desktop platform, and at least the basic user software - so far only one thing endures the search - Open Referent on Software United . It is clear that IBM Lotus Domino / Notes, which is included there, has long been certified by itself, but the developers received a certificate from FSTEC for the entire solution, including RHEL, the Open Referent document management system, and office functionality. Exactly what state employees need and it is - document circulation for them is a fundamental thing, and the decision is worth little money.
Naturally, Microsoft has certified a lot of the same set - even if they certify products, but it’s all very easy to assemble in an IC. But even Microsoft has not yet had time to certify its workflow system - all the same, Atlas can not hurry. Whether it is really so difficult is the decision through the FSTEC and the FSB to conduct, or whether Russian IT suppliers do not catch mice at all, losing this niche.
Well, it seems to customers that it’s time to figure out how not to get into the wave of “Ponosov’s case v. 2.0 ”.
Thus, Article 25, paragraph 3. states that “Information systems for personal data created prior to the effective date of this Federal Law shall be brought into compliance with the requirements of this Federal Law no later than January 1, 2010” . The law came into force at the very beginning of 2007. About the IP, created AFTER its entry into force, the text of the law says nothing. And this, for example, in the interpretation of “competent authorities” may mean that by default all IPs created in 2007, 2008 and 2009 should initially comply with this law. Type "you were warned." Does this mean that not just systems implemented at enterprises, but solutions released by developers must be certified one way or another for compliance with FZ-152 - it is still unknown. And it will be known not earlier than the first checks - then we will see from the results, what interpretation the reviewers will choose. Legal vulnerability is here, I think.
We go further. Not all over the past three years have introduced new solutions. And with the old zoo - welcome to the registration of personal data operators. At the same time, as follows from the “order for three”, p. 17: “In the case of the allocation of subsystems in the information system, each of which is an information system, the information system is generally assigned a class corresponding to the highest class of subsystems included in it” . Then a red poster with a Red Army soldier comes in vividly, threateningly asking “Have you already classified your IP?” From the same order No. 55/86/20 p.6 read: “The following categories of personal data processed in the information system (Xpr) are determined:
- category 1 - personal data relating to race, nationality, political views, religious and philosophical beliefs, health status, intimate life;
- category 2 - personal data, which allows to identify the subject of personal data and obtain additional information about it, with the exception of personal data belonging to category 1 ” .
Do you like category 2? I am very. If desired, under the "additional information" you can fit anything. Do you have employee addresses in the database? That's great, but why then the software is not certified to the appropriate category?
')
Dealing with old systems, subsystems, their categories and questions of their certification is a real bump. In addition, as is completely understandable, the main operators of personal data of a high category are state institutions and financial structures. Financiers, I think, somehow cope. But how state employees will get out, especially when there is a hole in the budget - this is a very interesting question. Beer checkers, as you know, don't care about explanations - they want to see a piece of paper that says in black and white that the installed software meets the requirements of the party and the government. And preferably one piece of paper for all. And if you have 25 pieces of paper for each component, it will take you 25 longer to figure it out. And, according to the Code of Administrative Offenses, with the rosy prospect of confiscation of improperly designed information security tools. Together with the server, yeah.
In this scenario, it seems natural that in two years developers and integrators had to push in and let in solutions for sufferers to meet before January 1, 2010. And just to certify new solutions under Federal Law 152 and the relevant regulatory documents. In practice, it turns out - nothing of the kind! Of course, the components are fully certified. The solution is - well, so that both the server and the desktop platform, and at least the basic user software - so far only one thing endures the search - Open Referent on Software United . It is clear that IBM Lotus Domino / Notes, which is included there, has long been certified by itself, but the developers received a certificate from FSTEC for the entire solution, including RHEL, the Open Referent document management system, and office functionality. Exactly what state employees need and it is - document circulation for them is a fundamental thing, and the decision is worth little money.
Naturally, Microsoft has certified a lot of the same set - even if they certify products, but it’s all very easy to assemble in an IC. But even Microsoft has not yet had time to certify its workflow system - all the same, Atlas can not hurry. Whether it is really so difficult is the decision through the FSTEC and the FSB to conduct, or whether Russian IT suppliers do not catch mice at all, losing this niche.
Well, it seems to customers that it’s time to figure out how not to get into the wave of “Ponosov’s case v. 2.0 ”.
Source: https://habr.com/ru/post/284456/
All Articles