How to set up smartphones and PCs. Informational portal
  • home
  • Advice
  • Information systems for personal data. Classification act ispd

Information systems for personal data. Classification act ispd

13.04.2019 Advice

The act of classification of ISPD, as a rule, is confidential document, and must have a confidentiality stamp ("Confidential", "DSP", "Commercial secret") and an account number.

To carry out the classification, a commission must be created at the enterprise. The commission must include a person responsible for the protection of personal data. The commission must be appointed by order of the head and carry out its activities on the basis of the Regulation on the classification commission. According to the results of the classification, an act must be drawn up. The ISPD classification act must be approved by the chairman of the commission and signed by all members of the commission.

How to draw up an act of classification of ISPD

The classification act is drawn up for each identified ISPD. Based on the received data, each ISPDN is determined required level security of personal data. This is necessary in order to establish requirements for ensuring the protection of the personal data information system. Determination of the level of protection of personal data is carried out in accordance with the Decree of the Government of the Russian Federation dated 01.11.2012 No. 1119 "On approval of requirements for the protection of personal data when processing them in personal data information systems."

The act indicates:

  • personal data processed in the system;
  • the volume of processed personal data;
  • a type actual threats for ISPD;
  • information system structure;
  • availability of connections to communication networks common use and (or) networks of international information exchange;
  • the mode of processing personal data in the system;
  • differentiation of user access rights;
  • location of ISPDN;
  • PD security level.

The ISPD classification act may include systems that store the following data:

  • special categories of personal data - information related to race, nationality, political views, religious or philosophical beliefs, health status, intimate life of the subjects of personal data;
  • biometric personal data - information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which is used by the operator to establish the identity of the subject of personal data;
  • publicly available personal data - information obtained only from publicly available sources of personal data created in accordance with Article 8 of the Federal Law "On Personal Data".

It is quite rare to find systems in which personal data of the 3rd category are processed. This is due to the fact that for real tasks you need not only the data identifying the subject (name, passport data), but also additional information about him (for example, information about the salary).

The most common information systems in which personal data of the 2nd category are processed. For example, settlement systems wages employees.

The volume of processed personal data determines the number of subjects whose personal data is processed in the system. The following gradation is applied:

  • more than 100,000 personal data subjects;
  • less than 100,000 personal data subjects.

Types of threats to the security of personal data

Type of actual threats for ISPDN:

  • Type 1 threats are relevant for an information system if, among other things, threats associated with the presence of undocumented (undeclared) capabilities in the system software used in the information system are relevant for it;
  • Type 2 threats are relevant for an information system if, among other things, threats associated with the presence of undocumented (undeclared) capabilities in the application software used in the information system are relevant for it;
  • Threats of the 3rd type are relevant for an information system if threats that are not associated with the presence of undocumented (undeclared) capabilities in the system and application software used in the information system are relevant to it.

By type, personal data information systems described in the ISPD classification act are divided into standard and special. Typical ISPD are information systems in which only the confidentiality of PD is required. Special ISPDN are information systems in which, in addition to confidentiality, it is necessary to provide at least one more security characteristic of personal data (integrity, availability).

In addition, special systems include all ISPDs that process data about the health of subjects, and ISPDs, which provide for the adoption of decisions that give rise to legal consequences for the subject on the basis of automated processing.

Most of the existing ISPDN are special. This is due to the fact that, in addition to confidentiality, it is also important that PD are always available for processing, complete and reliable. For all special systems it is necessary to develop a “Particular Model of Actual Threats”.

Classification of personal data information systems by structure:

  • Autonomous. Represents one automated workplace(computer).
  • Local. Automated workstations (AWS), united in a local network.
  • Distributed. Automated workplaces or local area networks interconnected by technology remote access.

According to the mode of processing personal data in the ISPD system, they are divided into single-user and multi-user. Single-user systems are rare. As a rule, at least two people work even for one autonomous workplace (in case of vacations and illnesses).

Classification of multi-user ISPDs are divided into:

  • No differentiation of access rights. In such systems, all users have access to all information.
  • With differentiation of access rights. Each user has access to a strictly defined piece of information in the system.

According to the location, ISPD is divided into.

Information Systems personal data (ISPDN) is used in their work by many enterprises and organizations. Let's figure out what it is, and what nuances need to be taken into account by those who work with ISPD.

What is ISPDN?

Simply put, the ISPDN information system is used to store and process personal data. It consists of the following components:

  • Actually, the totality of personal data stored in the system, in the database.
  • The technical means used to work with this data.
  • Automation tools for accounting and processing information stored in the ISPD (may not be available in all systems).

ISPDN is serious

When using the systems under consideration, it is important to ensure the protection of personal data from unauthorized access, loss and other emergency situations... This is spelled out even at the legislative level. And in order to take advisory measures to restrict access to information and to protect it, an ISPD is audited (for more details, please contact Rentacloud specialists: http://rentacloud.su/services/zashchita-personalnykh-dannykh / audit /). Based on its results, an act is drawn up containing the following information:

  • The category of personal data that is stored and processed in the surveyed system.
  • Their class and type (more on that below).
  • Parameters and structure of the investigated system.
  • PD volumes (number of records, etc.) stored and processed in ISPD.
  • Information about the location of the system.
  • Information about the possibility of accessing the database through networks available for public use (LAN, Internet, etc.).

The audit is carried out in strict accordance with a joint document prepared by the Ministry of Communications, FSTEC and FSB. It is quite voluminous and requires a thorough study. In this regard, the audit of the system and the preparation of recommendations on which the protection of the ISPD will be based should be trusted by specialists. Their services can be used, for example, by contacting Rentacloud: (http://rentacloud.su).

Types, classes of ISPDN, and what else you need to know about such systems

Personal data information systems (PD) are divided into 4 classes and 2 types. The division into classes is carried out on the basis of such characteristics as the category of processed PD and their volumes.

Classes

The table will help you deal with this:

Explanations for the table.

Category 4 includes anonymized personal data, for which it is impossible to identify a specific subject (for example, statistical data). Cat 3 includes PDs, on the basis of which only the identification of a person is possible (they are quite rare). Category 2 includes data on the basis of which it is possible to identify a person and obtain some additional information(example - payroll systems in organizations and enterprises). The first category includes data containing information about nationality, health status and other social information, and information of a different nature (for example, databases of health care institutions).

As for the classes indicated in the table, the ISPDN is assigned to them on the basis of possible damage to subjects in case of violation of safety conditions:

  • Cl 4. Any negative consequences for the subject are excluded.
  • Cl 3. Minor negative consequences may occur.
  • Cl 2. The occurrence of such consequences.
  • Cl 1. Very serious negative consequences are possible.

ISPDN types

The first type includes systems where the functions of protecting the ISPD are reduced only to achieving the required indicators of its confidentiality. If, in addition to confidentiality, there is a need to ensure at least one additional security indicator (authenticity, availability, data integrity, etc.), it comes about the second type.

It is worth noting that most of the systems used today are classified as the second type.

It can be seen that the development of ISPD, their classification and provision of reliable, effective protection- very complex and multifaceted processes. And in order to avoid mistakes, it is advisable to entrust this to specialists. For this, you can contact, for example, the Rentacloud company, which occupies one of the leading positions in this market.

"Budgetary organizations: accounting and taxation", 2009, N 12

From January 1, 2010, personal data information systems in all organizations, including budgetary institutions, must be brought in line with the requirements of the Law "On Personal Data"<1>... A number of by-laws were adopted to this Law, and as a result, now there are different interpretations of the duties of state and municipal institutions in relation to the information systems they contain. This article analyzes the provisions of the current legislation and highlights the requirements that must be met.

<1>Federal Law of 27.07.2006 N 152-FZ.

According to Art. 1 of the Law "On Personal Data", this Federal Law regulates relations related to the processing of personal data carried out by federal bodies of state power, bodies of state power of subjects Russian Federation, other government bodies, local self-government bodies that are not part of the system of local self-government bodies, municipal bodies, legal and individuals with the use of automation tools or without the use of such tools, if the processing of personal data without the use of such tools corresponds to the nature of the actions (operations) performed with personal data using automation tools.

Such attention to the issues of automating the processing of personal data entails the need to comply with special legislative norms regarding the use of information technologies... At the same time, it is necessary to carefully study the regulatory and legal framework, which at present can be interpreted very ambiguously, especially in terms of the presentation of requirements for information systems.

The concept of "information system" in the current legislation

In accordance with the Federal Law "On Information, Information Technologies and Information Protection"<2> Information system- a set of information contained in databases and information technologies that ensure its processing, and technical means... Based on this definition, it can be concluded that there are no information systems without the use of computer technology and the corresponding software.

<2>Federal Law of 27.07.2006 N 149-FZ.

However, in Art. 3 of the Law "On Personal Data" provides a broader definition information system: this is a collection of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data with or without automation tools.

Let us examine the components of this definition, the definitions of which can be found in the Federal Law "On Information, Information Technologies and Information Protection", other laws and regulations of the Government of the Russian Federation.

Under database means a set of organized interrelated data on machine-readable media (Temporary Regulation on State Accounting and Registration of Databases and Data Banks<3>). However, in part four of the Civil Code of the Russian Federation (paragraph 2 of clause 2 of article 1260), a more detailed definition is given Database: this is a set of independent materials presented in an objective form (articles, calculations, regulations, judgments and other similar materials), systematized in such a way that these materials can be found and processed using electronic computing machine(COMPUTER).

<3>Approved by the Decree of the Government of the Russian Federation of February 28, 1996 N 226.

Information Technology- processes, methods of searching, collecting, storing, processing, providing, disseminating information and ways of implementing such processes and methods (Federal Law "On Information, Information Technologies and Information Protection").

Under technical means allowing the processing of personal data, means computing technology, information and computing complexes and networks, means and systems for transmitting, receiving and processing personal data (means and systems for sound recording, sound reinforcement, sound reproduction, meeting rooms and television devices, means of production, duplication of documents and other technical means of processing speech, graphic, video and alphanumeric information), software ( OS, database management systems, etc.), information security tools used in information systems (Regulation on ensuring the security of personal data when processing them in personal data information systems<4>).

<4>Approved by the Decree of the Government of the Russian Federation of November 17, 2007 N 781.

Thus, the technical means include both copiers and software, but the key in defining the personal data information system is the concept of "database". It follows from this definition that the processing of the database is carried out by a computer (the media must be machine-readable). If the processing is carried out without the use of a computer and a database (machine-readable media), then formally there is no information system. In addition, without technical means that allow the processing of personal data, the database also cannot be recognized by the information system. In addition, information systems are not just a collection of computer technology and some programs that process information from databases, they can use automation tools, or they may not use them.

What is meant by automation tools?

There is a point of view according to which the use of automation means any computer processing or processing with electronic devices... If the database is stored on a computer (for example, in spreadsheet or accounting software) or, for example, in notebook cell phone, then this is already an automated processing of personal data and is subject to notification by Roskomnadzor. In addition, some experts believe that processing without the use of automation tools can only be carried out on paper (in hand-filled journals, in handwritten lists).

In accordance with Part 3 of Art. 4 of the Law "On Personal Data", the specifics of personal data processing carried out without the use of automation tools may be established by federal laws and other regulatory legal acts of the Russian Federation, taking into account the provisions of this Federal Law.

Decree of the Government of the Russian Federation of September 15, 2008 N 687 approved the Regulation on the specifics of personal data processing carried out without the use of automation tools. According to clause 1 of the said Regulation, the processing of personal data contained in the information system of personal data or extracted from such a system (hereinafter referred to as personal data) is considered carried out without the use of automation tools (non-automated), if such actions with personal data as use, clarification, distribution, destruction of personal data in relation to each of the subjects of personal data are carried out with the direct participation of a person.

Let us turn Special attention on the fact that, in accordance with clause 2 of the Regulation on the peculiarities of personal data processing carried out without the use of automation tools, the processing of personal data cannot be recognized as carried out using automation tools only on the basis that they are contained in the information system or have been extracted from it.

Thus, it can be stated that from the point of view of the definitions available in current legislation, the vast majority of information systems in state and municipal institutions can formally be considered as implemented without the use of automation tools (including a significant part of accounting software). After all, all face cards in these systems are edited manually in the corresponding windows. To destroy face cards, you also need to select them in the list by the operator and press special key to delete data. Even archiving is done special program that is launched by a human.

But various programs that allow you to reformat data (including from the format of an accounting program to a format, for example, a program The Pension Fund) and carrying them out automatic input and further transmission without referring to each specific employee record can be attributed to automated data processing. At the same time, the processing of personal data (including last name, first name, patronymic, pension certificate number, etc.) is an integral part of such programs.

At the same time, if the transfer of data to other programs (including for tax accounting purposes) is not carried out completely automatically, but with the help of a person participating in the processing of personal data, then such processing cannot be considered automated either.

In this regard, the recommendations of the Federal Agency for Education set out in the Letter of July 29, 2009 N 17-110 "On ensuring the protection of personal data" have a rather limited application in practice. In order to automate the processing of personal data in the questionnaires by Rosobrazovanie, it is recommended to additionally indicate the internal an identification number(personal code) of the subject of personal data, assigned for the entire period of study or work. This allows you to anonymize databases, if they do not contain other personal data, and significantly reduce the cost of protecting information.

However, for automation management activities in a state or municipal institution, at least the last names, first names, patronymics of employees, students, students, and so on, as well as a number of other personal data (for employees, for example, information about their income for accounting and tax purposes) are required. Turning to personal codes contained in the leaflets (questionnaires), for the rest of the data processing using the software will look like at least strange, reducing the effectiveness of the introduction of modern information technologies. Moreover, depending on the form of the questionnaires used, they can be recognized as part of the information system (as being part of database), which will completely deprive the meaning of the additional encoding (such encoding is required if it is advisable to depersonalize the data, for example, for statistical studies).

Personal data processing without using automation tools

So, as discussed above, despite the computerization of activities, in most cases the processing of personal data in state and municipal institutions is carried out without the use of automation tools (non-automated) and, accordingly, is regulated by the Regulation on the specifics of personal data processing carried out without the use of automation tools<5>.

<5>Approved by the Decree of the Government of the Russian Federation of September 15, 2008 N 687.

Persons conducting such processing (including employees of the operator organization or persons working under a contract with the operator) must be informed about the fact that they process personal data without using automation tools, the categories of personal data processed, as well as about the features and rules for the implementation of such processing established by regulatory legal acts of federal executive bodies, executive bodies of the constituent entities of the Russian Federation and local acts of an educational institution.

Personal data during their processing, carried out without the use of automation tools, must be separated from other information, in particular, by fixing them on separate material carriers, in special sections or in the fields of forms (forms).

At the same time, it is not allowed to fix personal data on one material medium if the purposes of their processing are deliberately incompatible. In this case, a separate material medium should be used for each category of personal data.

And therefore, the processing must be carried out in such a way that with respect to each category of personal data there are:

  • storage locations have been identified and a list of persons who process data or have access to it has been established;
  • the separate storage of personal data (material carriers) is ensured, the processing of which is carried out for various purposes;
  • the conditions are met, ensuring the safety of personal data and excluding unauthorized access to them.

The list of measures necessary to ensure such conditions, the procedure for their adoption, as well as the list of persons responsible for the implementation of these measures, are established by the educational institution in accordance with the requirements of regulatory legal acts on the protection of personal data.

If the purposes of processing personal data recorded on one material medium are incompatible, if it does not allow their processing separately from other personal data recorded on the same medium, measures should be taken to ensure separate processing, in particular:

  • if it is necessary to use or disseminate certain personal data separately from others located on the same material medium, the data to be disseminated or used are copied in a way that excludes the simultaneous copying of data that cannot be disseminated and used, and a copy of personal data is used (distributed);
  • if it is necessary to destroy or block a part of personal data, the material medium is destroyed or blocked with preliminary copying of information that is not subject to destruction or blocking, in a way that excludes the simultaneous copying of personal data to be destroyed or blocked.

The destruction or depersonalization of a part of personal data, if allowed by a material medium, can be carried out in a way that excludes further processing of this personal data, while preserving the possibility of processing other data recorded on a material medium (deletion, blotting out).

Clarification of personal data when processing them without using automation tools is carried out by updating or changing data on a tangible medium, and if this is not allowed technical features material carrier - by fixing on the same carrier information about the changes made to them, or by making a new material carrier with updated personal data.

Personal data processing using automation tools

The regulation on ensuring the security of personal data during their processing in personal data information systems establishes requirements for ensuring the safety of personal data when processing them in personal data information systems, which are a set of personal data contained in databases, as well as information technologies and technical means.

As follows from item 1 of this Regulation, the term "information systems" means only information systems that allow the processing of personal data using automation tools, therefore, the requirements of this Regulation do not apply to information systems in which data processing is carried out without using automation tools.

If an automated processing of personal data is carried out in a state or municipal institution, then the following requirements must be met.

According to the Regulation on ensuring the security of personal data during their processing in personal data information systems, the security of personal data is achieved:

  • by excluding unauthorized, including accidental, access to personal data, the result of which may be the destruction, modification, blocking, copying, distribution of personal data;
  • by excluding other unauthorized actions.

The security of personal data during their processing in information systems is ensured with the help of personal data protection systems including:

  • organizational measures;
  • information security means;
  • Information Technology.

Information security tools include:

  • encryption (cryptographic) means;
  • means of preventing unauthorized access;
  • means of preventing information leakage technical channels;
  • means of preventing software and hardware influences on technical means of processing personal data.

To ensure the security of personal data during their processing in information systems, protection is carried out speech information and information processed by technical means, as well as information presented in the form of informative electrical signals, physical fields, media on paper, magnetic, magneto-optical and other bases.

Requests of users of the information system for obtaining personal data, as well as the facts of providing data on these requests should be registered automated means information system in the electronic journal of requests. Moreover, the content electronic journal calls should be periodically checked by the appropriate officials (employees) of the operator or an authorized person.

If violations of the procedure for providing personal data are detected, the operator or an authorized person immediately suspends the provision of personal data to users of the information system until the causes of violations are identified and eliminated.

Hardware and software must meet the requirements established in accordance with the legislation of the Russian Federation to ensure the protection of information. At the same time, the methods and methods for protecting information in information systems are established Federal Service for technical and export control (FSTEC) and the Federal Security Service (FSB) within their powers.

The security of personal data during their processing in the information system is ensured by the operator or the person to whom, on the basis of the contract, the operator entrusts the processing of personal data. Persons whose access to personal data processed in the information system is necessary for the performance of official (labor) duties are admitted to the relevant personal data on the basis of a list approved by the operator or an authorized person. An essential condition of the agreement is the duty of the authorized person to ensure the confidentiality and security of personal data when processing them in the information system.

Information security tools used in information systems, in established order undergo a conformity assessment procedure. The exchange of personal data during their processing in information systems is carried out through communication channels, the protection of which is ensured by the implementation of appropriate organizational measures and (or) by using technical means.

At the same time, information systems are classified by state bodies, municipal bodies, legal entities or individuals organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data, depending on the volume of personal data processed by them and security threats to vital interests. individual, society and state.

The procedure for classifying information systems is established jointly by the Federal Service for Technical and Export Control, the Federal Security Service and the Ministry of Information Technology and Communications. This Procedure is determined by the Order FSTEC of Russia, FSB of Russia, Ministry of Information Technologies and Communications of Russia dated 13.02.2008 N 55/86/20.

In addition, the requirements for the premises and their protection are indicated. According to clause 8 of the Regulation on ensuring the security of personal data during their processing in information systems of personal data, the placement of information systems, special equipment and the protection of the premises in which the work with personal data is carried out, the organization of the security regime in these premises should ensure the safety of personal data carriers and information protection means, as well as exclude the possibility of uncontrolled entry or stay in these premises outsiders.

For this, state and municipal institutions should install additional alarms in the indicated rooms, in doorways - additional locks or metal doors.

Measures to ensure the security of personal data during their processing in information systems include:

a) identification of threats to the security of personal data during their processing, the formation of a threat model on their basis;

b) development, based on the threat model, of a personal data protection system that neutralizes perceived threats using the methods and methods for protecting personal data provided for the corresponding class of information systems;

c) checking the readiness of information security tools for use with drawing up conclusions about the possibility of their operation;

d) installation and commissioning of information security tools in accordance with operational and technical documentation;

e) training of persons using information security tools used in information systems, the rules for working with them;

f) accounting of the applied means of information protection, operational and technical documentation for them, carriers of personal data;

g) registration of persons admitted to work with personal data in the information system;

h) control over compliance with the conditions for the use of information security tools provided for by the operational and technical documentation;

i) investigation and drawing up conclusions on the facts of non-compliance with the storage conditions of personal data carriers, the use of information protection means that may lead to a violation of the confidentiality of personal data or other violations leading to a decrease in the level of protection of personal data, the development and adoption of measures to prevent possible dangerous consequences of such violations ;

j) a description of the personal data protection system.

Persons who have access to information bases with personal data, sign a non-disclosure obligation (such an obligation may also be included in an employment contract). Only after that, the educational institution allows them to process personal data.

When processing personal data in the information system, an educational institution must ensure:

a) taking measures aimed at preventing unauthorized access to personal data and (or) transferring them to persons who do not have the right to access such information;

b) timely detection of facts of unauthorized access to personal data;

c) prevention of impact on technical means of automated processing of personal data, as a result of which their functioning may be disrupted;

d) the possibility of immediate recovery of personal data, modified or destroyed due to unauthorized access to them;

e) constant control over ensuring the level of protection of personal data.

To develop and implement measures to ensure the security of personal data during their processing in the information system, an operator or an authorized person may appoint a structural unit or executive(employee) responsible for ensuring the security of personal data.

You should also pay special attention to the fact that, in accordance with clause 17 of the Regulation on ensuring the security of personal data during their processing in personal data information systems, the implementation of the requirements for ensuring the security of information in information security means is entrusted to their developers.

Adequacy measures taken to ensure the security of personal data during their processing in information systems is assessed during state control and supervision.

Classification of personal data information systems

The classification of personal data information systems that allow the processing of this data using automation tools is carried out by the educational institution - the operator in accordance with the Procedure for the classification of personal data information systems<6>depending on the category of processed data and their amount.

<6>Approved by the Order of the FSTEC of Russia, the FSB of Russia, the Ministry of Information and Communication of the Russian Federation of 13.02.2008 N 55/86/20.

The following four categories of personal data have been established:

  1. personal data concerning race, nationality, political views, religious and philosophical beliefs, health status, intimate life;
  2. personal data that allows you to identify the subject of personal data and get about him Additional information, with the exception of personal data belonging to the first category;
  3. personal data that allows you to identify the subject of personal data;
  4. anonymized and (or) publicly available personal data.

In any university, on public stands, you can find various lists of students, including a combination of full names. student, course, group that allow you to uniquely identify the student. As a result, such a combination of personal data forces them to be classified as personal data of the third category; the placement of this data in a public place formally requires the student's consent.

The employee's personal card (form T-2), the student's (student's) personal file belongs to the second category, since this is personal data that allows not only to identify the subject of personal data, but also to obtain additional information about him.

Personal data information systems are subdivided into standard and special. Typical systems include systems in which only the confidentiality of personal data is required. All other systems are classified as special.

Special information systems should also include:

  • information systems in which personal data are processed concerning the state of health of subjects of personal data;
  • information systems, which provide for the adoption on the basis of exclusively automated processing of personal data of decisions that generate legal consequences in relation to the subject of personal data or otherwise affecting his rights and legitimate interests.

Based on the above classification, it can be stated that any medical data, as well as personnel records, containing the column "nationality" (and such are almost all valid questionnaires and personal sheets currently in use) must be referred to the first category.

Based on the results of the analysis of available data, a typical information system is assigned one of four classes specified in the Procedure for classifying personal data information systems.

The class of a special information system is determined on the basis of a model of threats to the security of personal data based on the results of the analysis of the initial data in accordance with the methodological documents of the FSTEC.

FSTEC published following documents Particleboards that can be obtained only by contacting this authority:

  • The main activities for the organization and technical support security of personal data processed in personal data information systems, dated 15.02.2008;
  • The basic model of threats to the security of personal data during their processing in personal data information systems from 15.02.2008;
  • Methodology for determining current threats to the security of personal data during their processing in personal data information systems dated 02.15.2008;
  • Recommendations for ensuring the security of personal data when processing them in personal data information systems dated 15.02.2008.

These methodological documents contain numerous requirements, which are extremely difficult for most state or municipal institutions for reasons of both organizational and financial nature.

Declaration, certification (attestation) and licensing of activities for the protection of personal data

The FSTEC methodological documents listed above establish the following procedure for assessing the compliance of the degree of security of information systems with security requirements:

  • for information systems of the first and second class, the compliance of the degree of protection with security requirements is established by compulsory certification(certification);
  • for information systems of the third class, compliance with security requirements is confirmed by certification (attestation) or (at the option of the operator) by declaration of compliance conducted by the operator of personal data;
  • for information systems of the fourth class, conformity assessment is not regulated and is carried out by the decision of the operator of personal data.

Declaration of Conformity- this is a confirmation of the compliance of the characteristics of the personal data information system with the requirements established by the legislation, guidelines and regulatory and methodological documents of the FSTEC and the FSB.

Declaration of conformity can be carried out on the basis of our own evidence or evidence obtained with the participation of involved organizations that have the necessary licenses. The list of bodies (organizations) for attestation of the certification system of information protection means according to information security requirements, which can be contacted educational institutions and educational authorities that do not have necessary specialists and licenses, as well State Register certified information security tools are posted on the FSTEC website. The cost of such procedures is quite high and is measured in hundreds of thousands of rubles.

In the case of declaring on the basis of his own evidence, the operator independently generates a set of documents, such as: technical documentation, other documents and the results of our own research, which served as a motivated basis for confirming the compliance of the personal data information system with all necessary requirements required for the third grade.

Attestation (certification) tests carried out by organizations that have the necessary FSTEC licenses. At the same time, attestation is understood as a set of measures that make it possible to bring the information system in line with the requirements for information security to the declared class set forth in the FSTEC regulatory and methodological documents.

Attestation (certification) tests contain an analysis of personal data information systems already available at the facility, as well as again decisions taken to ensure the security of information and include checking:

  • organizational and regime measures to ensure the protection of information;
  • security of information from leaks through technical channels (PEMIN);
  • security of information from unauthorized access.

Based on the results of certification tests, a decision is made to issue a certificate of conformity of the information system to the declared class according to information security requirements. The certificate is issued for a period of three years.

The FSTEC methodological documents also establish additional requirements for the availability of licenses for the protection of personal data. Without the presence of appropriate licenses, such events are possible only for information systems of the third and fourth class.

To carry out measures to ensure the security of personal data for special information systems, systems of the first and second class and distributed (including those connected to the Internet) systems of the third class, operators must, in accordance with the established procedure, obtain a FSTEC license for activities in technical protection confidential information.

The legality of the requirements for the procedures of declaration, certification (certification) and licensing by state and municipal institutions on the basis of the FSTEC methodological documents raises serious doubts.

Regulations on the procedure for handling official information of limited distribution in federal executive bodies<7>(clause 1.2) refers to official information of limited distribution as unclassified information concerning the activities of organizations, restrictions on the distribution of which are dictated by official necessity. The establishment of responsibilities for licensing the activities of organizations can in no way be recognized as information of the EAF.

<7>Approved by the Decree of the Government of the Russian Federation of 03.11.1994 N 1233.

Licensing obligations certain types activities, including activities for the technical protection of confidential information, are determined by the Federal Law "On licensing certain types of activities"<8>... The procedure for licensing activities for the technical protection of confidential information carried out legal entities and individual entrepreneurs, determined by the Decree of the Government of the Russian Federation of 15.08.2006 N 504.

<8>Federal Law of 08.08.2001 N 128-FZ.

Neither the Regulation on licensing activities for the technical protection of confidential information, nor the Procedure for classifying information systems of personal data establish obligations for licensing activities for the technical protection of confidential information, depending on the class of the information system. These requirements are established in the document DSP - Basic measures for the organization and technical security of PD processed in the ISPD.

The regulation on ensuring the security of personal data during their processing in personal data information systems determines only that:

  • information security tools used in information systems go through the conformity assessment procedure in accordance with the established procedure (clause 5) - that is, not the operator, but the information security tool is subject to certification, and it is carried out by the manufacturer of this tool (including computer program for information protection);
  • the results of the conformity assessment and (or) case studies of information protection tools designed to ensure the security of personal data when processing them in information systems are evaluated during an examination carried out by the Federal Service for Technical and Export Control and the Federal Security Service within their powers.

In accordance with Part 3 of Art. 15 of the Constitution of the Russian Federation, all laws, as well as any normative acts affecting the rights, freedoms and duties of a person and a citizen, must be officially published for general information, that is, made public. Unpublished normative legal acts are not applied, do not entail legal consequences as they have not entered into force.

Since May 15, 1992 by the Decree of the Government of the Russian Federation of 05/08/1992 N 305 "On state registration departmental normative acts "state registration of normative acts of ministries and departments, affecting the rights and interests of citizens and having an interdepartmental character, was introduced.

The issues of state registration and the entry into force of departmental normative legal acts are regulated by the Decree of the President of the Russian Federation N 763<9>and Resolution of the Government of the Russian Federation N 1009<10>.

<9>Decree of the President of the Russian Federation of 23.05.1996 N 763 "On the procedure for the publication and entry into force of acts of the President of the Russian Federation, the Government of the Russian Federation and normative legal acts of federal executive bodies".
<10>Decree of the Government of the Russian Federation of 13.08.1997 N 1009 "On approval of the Rules for the preparation of normative legal acts of federal executive bodies and their state registration."

According to clause 10 of the Rules for the preparation of normative legal acts of federal executive bodies and their state registration, state registration is subject to normative legal acts affecting the rights, freedoms and obligations of a person and citizen, establishing legal status organizations of an interdepartmental nature, regardless of their validity period, including acts containing information constituting state secret, or information of a confidential nature.

The state registration of normative legal acts is carried out by the Ministry of Justice, which maintains the State register of normative legal acts of federal executive bodies.

State registration of a regulatory legal act includes:

  • legal examination of the compliance of this act with the legislation of the Russian Federation, including checking for the presence of provisions in it that contribute to the creation of conditions for the manifestation of corruption;
  • making a decision on the need for state registration of this act;
  • assignment of a registration number;
  • entry into the State Register of normative legal acts of federal executive bodies.

Normative legal acts affecting the rights, freedoms and duties of a person and citizen, establishing the legal status of organizations or having an interdepartmental character, are subject to official publication in the prescribed manner, except for acts or their individual provisions containing information constituting a state secret or information of a confidential nature,

An act recognized by the Ministry of Justice as not requiring state registration is subject to publication in the manner determined by the federal executive body that approved the act. At the same time, the procedure for the entry into force of this act is also determined by the federal executive body that issued it.

Therefore, according to the author, state and municipal institutions that carry out automated processing of personal data, in the event of presentation of requirements for obtaining licenses, declaring or certification (certification), can appeal such requirements in court (especially if the means of protecting personal data used have already been certified by their manufacturer).

A. Bethlehem

director

Nizhny Novgorod center

economics of education

One of the priority measures that must be taken when creating an information system for processing personal data (ISPD) is the classification of ISPD.

This is necessary in order to determine the class of the system and the corresponding requirements for the FSTEC and the FSB in the processing of personal data (PD). In this article I will describe general procedure classification of ISPD.

In accordance with the Order of the FSTEC / FSB / Ministry of Information and Communication of 13.02.2008 No. 55/86/20 on the "Procedure for the classification of the personal data information system", which can be downloaded here, the classification is required to include the following stages:

  • Collection and analysis of initial data on the information system;
  • Assigning an appropriate class to an information system and documenting it.

When classifying an information system, it is necessary to answer the following questions:

  1. 1 What category does the personal data processed in the information system belong to - Xpd?
  2. What is the volume of processed personal data (the number of personal data subjects whose personal data is processed in the information system) - Xnpd?
  3. What are the security characteristics of personal data processed in the information system?
  4. What is the structure of the information system?
  5. Is there a connection of the information system to public communication networks and / or Internet networks?
  6. What is the mode of processing personal data?
  7. What is the mode of differentiation of access rights for users of the information system?
  8. Where is the technical means of the information system?

Initial data and supporting information

The following categories of personal data processed in the information system (Xpd) are determined:

  1. Category 1- personal data concerning race, nationality, political views, religious and philosophical beliefs, health status, intimate life;
  2. Category 2- personal data that allows you to identify the subject of personal data and obtain additional information about him, with the exception of personal data related to Category 1;
  3. Category 3- personal data that allows you to identify the subject of personal data;
  4. Category 4- anonymized and (or) publicly available personal data.

Xnpd can take the following values:

  • 1 - the information system simultaneously processes personal data of more than 100,000 personal data subjects or personal data of personal data subjects within a constituent entity of the Russian Federation or the Russian Federation as a whole;
  • 2 - the information system simultaneously processes personal data from 1000 to 100,000 personal data subjects or personal data of personal data subjects working in the industry of the Russian Federation, in the state authority residing within the municipality;
  • 3 - the information system simultaneously processes data of less than 1000 personal data subjects or personal data of personal data subjects within a particular organization.

Personal data security characteristics

For ISPD, the security characteristics of personal data are determined, which are divided into basic and additional:

BASIC:

  • confidentiality
  • integrity
  • availability

ADDITIONAL:

  • non-repudiation
  • accounting (accountability)
  • authenticity (reliability)
  • adequacy

Information system structure subdivided into:

  • autonomous (not connected to other information systems) complexes of technical and software tools intended for the processing of personal data (workstations);
  • a set of automated workstations, united into a single information system by means of communication without the use of remote access technology (local information systems);
  • a complex of automated workstations and (or) local information systems, united into a single information system by means of communication using remote access technology (distributed information systems).

Processing mode

When organizing ISPD, the following processing modes are determined:

  • single user;
  • multiplayer.

Access rights differentiation mode

In ISPD, the access control system means:

  • without differentiation of access rights;
  • with differentiation of access rights.

Information systems are divided into typical and special.
To a typical information system include systems that require only the confidentiality of PD.

To a special information system includes systems that, in addition to confidentiality, require:

  • Information systems in which personal data are processed concerning the state of health of subjects of personal data;
  • Information systems in which, on the basis of solely automated processing of personal data, decisions are made that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.

Information system classification

According to the Order of the FSTEC / FSB / Ministry of Information Technologies and Communications No. 55/86/20, ISPDn can take one of the four classes defined in this order:

  1. class 1 (K1)- information systems for which a violation of a given security characteristic of personal data processed in them can lead to significant negative consequences for subjects of personal data;
  2. class 2 (K2)- information systems for which a violation of the specified security characteristics of personal data processed in them can lead to negative consequences for the subjects of personal data;
  3. class 3 (K3)- information systems for which a violation of the specified security characteristics of personal data processed in them can lead to minor negative consequences for the subjects of personal data;
  4. class 4 (K4)- information systems for which a violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.

Top related articles

Different mouse movement vertically and horizontally
Different mouse movement vertically and horizontally
How to compress textures in fallout 4
How to compress textures in fallout 4
It remains only to understand the required level
It remains only to understand the required level
Categories:
© 2021 bumotors.ru. How to set up smartphones and PCs. Informational portal.