If you work with government organizations

At the address http://regulation.gov.ru/projects# , the next draft law on introducing further changes to the law “On Information, Information Technologies and on Information Protection” is available. More precisely, two such projects have now been posted on this portal, but we are interested in the draft law from the FSTEC of the Russian Federation:



What is supposed to change in the methods of protection and who does the change concern?

It is worth paying attention to the fact that the project concerns the protection of “state information systems, as well as other information systems in which, on the basis of contracts or other legal grounds, contains (processed) information that is owned by state bodies or state corporations”. Recall that the requirements for the protection of state information systems were described in the seventeenth order of the FSTEC of the Russian Federation. The draft law indicates that the requirements of this order apply not only to state-owned IP, but also to all organizations working with data obtained from them.

Requirements for the protection of information contained in government information systems, as well as other information systems that contain (processed) information that is owned by government agencies or government corporations, are established by the federal executive body for security and the federal executive body authorized in the field of countering foreign technical intelligence services and technical protection of information within their authority. When creating and operating such information systems, the methods and methods used to protect information should comply with the specified requirements.

At the same time, “the creation and maintenance of information protection systems must provide for”:

1) the designation by the operator of persons responsible for the organization of information protection, as well as for the planning and development, implementation, monitoring, maintenance and improvement of information protection measures;
2) the publication by the operator of documents defining the policy of ensuring the protection of information, including local acts for organizing information security, as well as local acts establishing procedures to ensure the protection of information in accordance with this Federal Law;
4) implementation of internal control (audit) of compliance of information protection with information protection requirements ..., operator's policy to ensure information protection, operator's local acts;
5) familiarization of the operator’s employees who directly process and protect the information with the information protection requirements, documents defining the operator’s policy to ensure the protection of information, local acts of the operator and training of these workers.

The most interesting is traditionally located at the end of the draft law:

Operators of state information systems, as well as other information systems, in which, on the basis of contracts or other legal grounds, contain (processed) information that is owned by state bodies or state corporations, inform the federal executive body in the field of security and the federal executive body, authorized in the field of countering foreign technical intelligence and technical protection of information on security events and, as a result of which the functioning of the information system is interrupted or terminated and (or) the security of the information processed in the information system (computer incidents) is impaired.

It is assumed that all organizations working in one way or another with government agencies and receiving data from them will have to transmit data on security incidents. It is logical to assume that, following this draft law, regulations will follow, according to which it will be necessary to transfer data in a format that meets the conditions for accepting data to the database of incidents, which will be maintained by the FSTEC.