DLP and the Law: how to properly arrange the introduction of a system to protect against leaks

Today I would like to once again raise such an important topic as the legitimacy of implementing systems to protect against information leaks. It’s great when the company thinks about the safety of its information assets and implements a DLP solution. But if this implementation is not accompanied by legal clearance, some of the functions of the DLP simply “fall off”. The company will not be able to use DLP data in court against an employee who is guilty of disclosing confidential information (and may suffer from a lawsuit by the employee himself, for example). Today's little material tells how to avoid it and where to “spread the straw”.

In accordance with the Labor Code of the Russian Federation, 98-, 152- and so forth, the functioning of DLP in an organization includes several aspects that require legal registration. Immediately make a reservation that the list of documents that we give below is somewhat redundant. If you do not have any regulations, it may not be fatal. But over the years of work in this area, we have formed the opinion that there are not many accompanying documents, especially if a company has to sue an employee who has “merged” confidential data.

Another important point is that most of the regulations and regulations require the signature of an employee who either acts as one of the parties to the agreement or confirms that he or she has read the contents of the document. Therefore, it is necessary to involve the HR department and, of course, lawyers to work on the legalization of the introduction of DLP.
')

Restricted Information

First of all, you need to understand that confidential data is not what the company would like to keep secret, but what is formally fixed as information of limited access. Restricted access information includes personal data, commercial, official, professional secrets, information on the nature of the invention, etc. Therefore, the first step is for a company to determine and document a list of restricted access information with which employees should be familiarized against the signature. Documents that will be needed at this stage:

• List of restricted information.
• The list of persons allowed to process information of limited access.
• Provisions for the processing and protection of restricted access information (PDN, CT, etc.).
• Orders on the introduction of information protection mode (especially CT).

Disclosure of restricted information

Now that we have figured out what information we will protect, and who has legitimate access to it, we can go directly to the issues of its possible disclosure. First of all, it is necessary to form documents explicitly prohibiting employees from disclosing information of limited access that became known to them in connection with the performance of their job duties. Such a ban should be specified in two types of documents: the company's general regulations and documents relating to the mode of information protection.

Are common:

• Employment contract.
• Rules of the internal labor schedule.
• Job description employee.
• Regulation on the division of the employee.
• Additional agreements with the employee.

Information security mode:

• Documents containing provisions and procedures of information security: general information security policy, password protection, access control, protection against malicious software, permissible use of IP and services (including the Internet and corporate mail), monitoring and control, incident management, training and awareness raising, etc.
• Instructions for users of information systems, services and information security tools.

This list of documents can be considered as a reference when forming the provisions listed below in the article.

Further, as we understand, a ban is worth nothing unless responsibility is laid down for its violation. Persons who divulge information of limited access may be brought to disciplinary, administrative, civil, criminal liability in the manner established by the legislation of the Russian Federation. And, in particular, I remind you that the disclosure of secrets protected by law (state, commercial, official and other), which became known to the employee in connection with the performance of his job duties, including the disclosure of personal data of another employee, is the reason for dismissing an employee on the initiative of (Labor Code of the Russian Federation, article 81, paragraph 6c).

Rules for processing / protecting information and using monitoring tools

The next step is to draw up local regulations defining the rules for processing and protecting information of limited access. Employees should be familiar with them under the list, and we recommend that companies keep copies of familiarization magazines.

Employees should be aware (that is, again sign off on acquaintance) that the implementation of these rules, as well as the use of corporate information processing tools, is monitored using monitoring tools.

Also, the following documents will not be redundant:

• Reports and plans for training / instructing employees.
• Copy of training and awareness raising magazines on information processing and protection.

Personal information on corporate resources

Separately, all the rules concerning the personal information of employees, its storage and transmission using corporate resources should be spelled out.

• It is forbidden to store personal information on corporate devices.
• Corporate communication channels and information processing facilities should be used by employees exclusively for official (production) purposes.
• Employees are prohibited from storing personal information in corporate resources (workstations and file storages) and transmitting it through corporate communication channels (corporate e-mail, the Internet and others).

Information Security Division

The duties of security personnel should also be regulated and prescribed in the regulations on the IS division and job descriptions of its employees. At a minimum, the list includes monitoring compliance with the rules for processing and protecting restricted access information and responding to information security incidents.

DLP system

The information security system must comply with the threats that are relevant to the company, as well as the requirements and recommendations of regulatory bodies (Roskomnadzor, the Federal Security Service of Russia, the Federal Service for Technical and Export Development of Russia). What will help the security officer confirm this:

• Extract from the Threat Model and Intruder Model.
• Extract from the TZ and TP on the protection system.
• Information about the DLP system (functionality and certificates).
• Reports on audits and inspections of information security, copies of certificates of conformity.

That's all. If the article was useful, we can continue and tell you how to legally dismiss an internal attacker and what to do if the employee divulged information of restricted access and you decided to go to court.