How to get a fstack license? Obtaining an fstek license for the technical protection of confidential information: basic provisions.

Technical protection of confidential information is an urgent problem in today's realities. Any organization one way or another collects information that it would not like or simply does not have the right to disclose. Leakage of such data can have the most serious consequences.

The state controls this important area, and the main regulatory body is the Federal Service for Technical and Export Control (FSTEC).

Companies that are engaged or plan to engage in activities to protect confidential information must obtain a license from the FSTEC (Federal Law No. 99 “On Licensing Certain Types of Activities”, Government Decree No. 957 of November 21, 2011 “On the Organization of Licensing Certain Types of Activities”). There is also an FSB license, which is necessary for companies dealing with state secrets.

Types of FSTEC licenses

If we take into account only the activities under the jurisdiction of the FSTEC, then there are two main types of licenses:

First: FSTEC license for technical protection of confidential information (TZKI). Such a license is required for companies that work directly with information. They use ready-made software, install it, test equipment, communications and special rooms for storing information, and so on. A detailed list of works that require obtaining a license for TZKI will be given below.

Second: FSTEC licensefor the development and production of confidential information protection tools (SZKI). Organizations that receive this license develop and manufacture information security tools themselves. This includes special software and equipment designed to process, store and transmit protected information, as well as control security. FSTEC certificates are issued for all software and hardware that are produced and used for these purposes. At certain intervals, protective equipment is re-certified.

What is meant by confidential information?

There is no clear definition of this concept in the legislation: it can be both a trade secret and personal data or any other information of limited use.

There is also the concept of "personal data operator". This is any organization or individual organizing and (or) carrying out the processing of personal data. According to the law (FZ No. 152 “On Personal Data”), the PD operator is obliged to ensure their inviolability, that is, to take measures for the technical protection of information that are subject to licensing.

In practice, this does not always mean that he needs to obtain a license from the FSTEC. The Operator may engage for this purpose a third-party organization with a license or appoint a structural unit or an official in its composition who will deal with the issue of TKRI. In this case, this unit or official is also required to have a FSTEC license for TZKI.

FSTEC license for TZKI. What kind of work is needed?

Which organizations need to issue a FSTEC license for TZKI? In order to determine this, it is necessary to compare the works or services that this organization plans to provide with those presented in the government decree. These works include:

• control of protection of confidential information from leakage through technical channels in:
  means and systems of informatization;
  technical means (systems) that do not process confidential information, but are located in the premises where it is processed;
  premises with means (systems) to be protected;
  premises intended for conducting confidential negotiations (protected premises);
• control of the security of confidential information from unauthorized access and its modification in informatization tools and systems;
• certification tests for compliance with the information security requirements of products used to protect confidential information (technical means of protecting information, secure technical means of processing information, technical means of monitoring the effectiveness of information protection measures, software (software and hardware) means of protecting information, protected software (software) -technical) means of information processing, software (software and hardware) means of information security control);
• certification tests and certification for compliance with information security requirements:
  
  protected premises;
• secure design:
  means and systems of informatization;
  premises with means (systems) of informatization subject to protection;
  protected premises;
• installation, installation, testing, repair of information security tools

Obtaining a license from the FSTEC of Russia for the technical protection of information

The FSTEC of Russia recommends obtaining a license for technical protection of information on your own in order to avoid unjustified expenses and unreasonable guarantees. What does this procedure look like? To obtain a license for information protection, two conditions must be met:

Collect all necessary documents. The list of documents is quite impressive and is located on the website of the FSTEC of Russia fstec.ru. In addition, you must fill out an application and pay a state duty in the amount of 7,500 rubles. After the documents are submitted, the completeness of the information is checked within five working days. A check is then carried out to determine whether the applicant meets the requirements for granting a license.

Meet requirements. The list of requirements is also on the official website of the FSTEC of Russia. Of course, you need to take care of this in advance before submitting documents.

Requirements for obtaining an FSTEC license

In a nutshell, these requirements are as follows:

• Qualified employees. The staff should include workers with higher education in a specialized field or those who have undergone special retraining.
• Special premises for the implementation of activities. The premises must comply with the regulations and legally belong to the applicant.
• Certified equipment.
• Automated systems for processing information with certificates.
• Legal software.
• Availability of regulatory legal acts and methodological documents in accordance with the FSTEC list.

After all the requirements are met, and the documents are in order, a license is issued. The validity of the license for TZKI is not limited, but FSTEC will periodically conduct scheduled inspections. Therefore, the company needs to constantly monitor that all the requirements of the FSTEC are met.

The licensing process is described in detail in the Decree of the Government of the Russian Federation "On Licensing Activities for the Technical Protection of Confidential Information". The document specifies in detail which documents in what form and procedure are required to be submitted to the licensing authority (LO).

On paper, everything looks quite simple.

1. A legal entity submits a fully formed application in accordance with the requirements.
2. Within three days, the licensing authority must consider it and report what errors are in the application or what documents are missing. If the LO has comments, then the applicant must eliminate the shortcomings within 30 days.
3. If the application is executed correctly, then within five days from the date of acceptance of the application, the LO checks the completeness of the documents supplementing the application, and this is usually about 200-300 pages.
4. If there is a lack of supplementary documents, the LO refuses the organization to accept the application until the violations are eliminated. The legal entity has 30 days to do so.
5. Having recognized the package of documents as complete, the LO must, within 45 working days, make a decision on issuing a license or on a reasoned refusal to issue it.

However, in reality, everything is more complicated. There is only one licensing body for the whole country, and it is located in Moscow, several people are involved in considering applications, and the number of organizations wishing to obtain a license is growing every year. You can ask questions by phone, for this you are given two hours twice a week, no more than five minutes for one communication session, you won’t be able to find out much. All this means that in a matter of days or even weeks it is almost impossible to carry out licensing, especially if there are misunderstandings in the licensing rules or difficulties in fulfilling at least one of the requirements. In addition, for some types of services, the list of legal acts that must be attached to the application alone may consist of 15 pages.

The application for a license must be accompanied by:

• documents for automated systems, for protected premises, for the right to legal possession of premises, equipment, software or that they are leased (with confirmation of the fact of transfer);
• documents for access to secrets (to confidential information, access to which is limited);
• copies of work books, work contracts, documents on the education of employees of the license applicant;
• documents for the ownership of equipment, for verification work, confirming the fact of the correct operation of this equipment, for software, etc.;
• information about the regulatory documents necessary for the implementation of activities to protect information;
• description of the technological process of processing confidential information in the prescribed form.

Those who receive a license for the first time must submit notarized constituent documents of the organization.

stumbling blocks

When it comes to licensing, organizations face three main challenges:

1. Equipment. To perform work and provide services for the certification of protected premises and automated systems, it is necessary to purchase (own or on any other legal basis) equipment. The cost of the kit varies, but is about a million rubles. And if you start work on licensing with the purchase of equipment, then by the time the application is submitted, it may turn out that it will have to be re-verified (verification certificates are valid for one year). You can try to save money and rent equipment, but it must be specially designed. It is required to periodically confirm the ownership of the equipment, to conclude additional agreements to the lease agreements that the equipment is located at the tenant. The disadvantage of the lease option is that it reduces the chances of obtaining a license - there is a high probability of formalizing the relationship incorrectly and being refused.
2. Rent of premises. If the license applicant leases premises from a subtenant, then the entire chain of documents up to the owner of the premises must be submitted. It is also necessary to ensure that the actual numbers of the premises coincide with the cadastral ones, so that the premises are uniquely identified based on documents alone.
3. Personnel documentation. Employees must have diplomas of higher professional education in the field of technical information security and more than three years of experience or a diploma of higher education from retraining courses / higher technical education and more than five years of experience. There must be at least three employees, and they must be employed by the applicant at the main place of work.

Life hack for successful licensing

In order to obtain a license, and then successfully pass, if necessary, the scheduled inspections of the FSTEC for compliance with the requirements, we suggest taking into account a number of points:

1. It is better to buy equipment (if it is necessary for the type of activity you have chosen) rather than rent it.
2. Constantly monitor changes in the legislative framework and keep the documentation up to date, including periodically updating and purchasing GOSTs (information about this is not a secret, the official website of the FSTEC of Russia is open to everyone).
3. Update anti-virus software and licenses for instrumentation software and equipment in a timely manner.
4. Timely re-certify premises and automated systems, since certificates are valid for a maximum of three years.

Initial license acquisition and scheduled inspection: differences

When an applicant obtains a license for the first time, communication with the licensing authority is remote: the parties exchange documents and communicate by phone. The supervisory authorities do not pay any personal visits to the applicant.

A scheduled inspection can be carried out three years after obtaining a license. In this case, FSTEC representatives study whether the personnel, premises, equipment and software that were declared upon obtaining a license actually exist. This includes an assessment of the knowledge and competencies of personnel stated in the documents for obtaining a license. Inspectors can request a list of certificates issued by the certification organization (if such type of activity is in the license), as well as a list of clients who have been issued these certificates. Thus, the regulatory authorities make sure whether the certifying organization really provided these services and how high quality they are.

An unscheduled inspection is also possible, which is carried out at any time at the request of citizens, legal entities, the prosecutor's office or by a court decision.

Licensing work: issue price

From January 1, 2015, the state duty for the initial receipt of an FSTEC license for technical protection of confidential information is 7,500 rubles, for renewal - 3,500 rubles. These are inevitable costs and the least expensive part of the work.

In accordance with the requirements of the licensing regulations, it is necessary to carry out attestations and develop documents for attestation of the protected premises and the automated system for processing confidential information. These services are provided by FSTEC licensees, for example, project representatives.

The range of services includes:

1. Initial consultation. This is an acquaintance with the customer organization in order to understand why a license is required and to explain to the client what it will give him, what the costs of obtaining it will turn out to be and how much investment (time and financial) will be required in the future. Among other things, specialists immediately report what are the organization's chances for successful licensing, based on the client's willingness to apply now.
2. Help with certification. Employees of the Kontur.Safety project conduct certification of meeting rooms, automated systems for processing confidential information according to security requirements.
3. Consultation on the acquisition of equipment and software.
4. Consultation on the acquisition of legal documents (GOSTs). Most of the GOSTs are in electronic form in legal reference systems. But it is not enough to download and print them, since it is the copyright that needs to be confirmed.
5. Assistance in coordinating issues related to the lease of premises and equipment.
6. Consultation on the correct registration in the staff of employees working with confidential information.
7. Assistance in filling out an application. The application is posted on the resources of the FSTEC of Russia, it is not difficult to fill it out, but you need to fulfill a lot of conditions regarding the documents supplementing the application - in a timely manner, accurately and in full accordance with the requirements.

Licensing of activities for the technical protection of confidential information

In recent years, the legal framework in the field of information security has formed costly, confusing, contradictory mechanisms that do not take into account either the peculiarities of processing confidential information in various fields of activity, or the ability of operators to comply with established requirements. In addition, the requirements for operators of information systems that process confidential information, including personal data, by the FSTEC of Russia include such a mechanism of state regulation as licensing activities for the technical protection of confidential information, for which most operators do not have sufficient material and labor resources. This is especially true of budgetary organizations in the field of education, medical care, housing and communal services. Legal problems arose due to the lack of laws in federal legislation on the protection of confidential information, for example, official secrets, professional secrets, ambiguity of provisions, as well as repeated changes and additions made to Federal Law No. 152 "On Personal Data", other regulatory legal acts . At the same time, federal laws require further specification and clarification by decrees of the Government of the Russian Federation and methodological documents of the FSTEC and the FSB of Russia.

Adoption by the Government of the Russian Federation of February 3, 2012 of Decree No. 79 “On licensing activities for the technical protection of confidential information” with the approval of the “Regulations on licensing activities for the technical protection of confidential information” (hereinafter referred to as the Regulation) and the abolition of the previously existing resolution of August 15, 2006 No. 504, once again raises the question, what is new in the said Regulation and does the FSTEC of Russia need a license if the organization protects confidential information “for its own needs”, and does not provide services for money?

In accordance with paragraph 1 of the Regulations, it determines the procedure for licensing activities for the technical protection of confidential information (not containing information constituting a state secret, but protected in accordance with the legislation of the Russian Federation) carried out by legal entities and individual entrepreneurs.

And immediately the question arises with the term "confidential information", which is given in the Regulations and is used in the documents of the FSTEC of Russia, but is absent in the federal legislation. Federal Law No. 149 dated 27.07. 2006" On information, information technologies and information protection” in paragraph 7 of Art. 2 gives only a definition of confidentiality of information, as a mandatory requirement for a person who has access to certain information not to transfer such information to third parties without the consent of its owner. Confidentiality in Latin means "trust" (that is, by transferring such information, we hope for its safety and non-proliferation, since its disclosure may cause certain damage to the parties). It should be noted that the lack of clarity of certain terms, as well as sometimes unreasonable changes in the definitions and concepts of information legislation, do not contribute to the improvement of legal regulation in the information sphere. At the same time, the FSTEC of Russia continues to use the term "confidential information", which legislators have already abandoned.

According to the legislation of the Russian Federation, the mandatory features of information with restricted access should be:

• information has real or potential value for the owner due to its unknownness to third parties. Such persons may be the state, legal or natural persons;
• information is not freely available legally. The possibility of keeping it unknown to third parties is established by federal law;
• the owner of the information takes measures to protect it.

On March 6, 1997, the President of the Russian Federation issued Decree No. 188, which approved the "List of confidential information", according to which the following information was classified as confidential information:

• about the facts, events and circumstances of the private life of a citizen, allowing to identify his personality (personal data), with the exception of information to be disseminated in the media in cases established by federal laws;
• constituting the secret of the investigation and legal proceedings;
• access to which is limited by state authorities in accordance with the Civil Code of the Russian Federation and federal laws (official secret);
• related to professional activities, access to which is limited in accordance with the Constitution of the Russian Federation and federal laws (medical, notarial, lawyer secrets, correspondence, telephone conversations, postal items, telegraphic or other messages, etc.);
• related to commercial activities, access to which is restricted in accordance with the Civil Code of the Russian Federation and federal laws (commercial secret);
• on the essence of an invention, utility model or industrial design before the official publication of information about them.

The new Decree also clarifies the term "technical protection of confidential information" (hereinafter referred to as TKKI), which, in accordance with clause 2 of the Regulation, means:

Performance of work and (or) provision of services to protect it from unauthorized access, from leakage through technical channels, as well as from special influences on such information in order to destroy it, distort it or block access to it.

Thus, we are talking about either the performance of work on TZKI, or the provision of services on TZKI, or joint activities.

When carrying out activities for the technical protection of confidential information The following types of works and services are subject to licensing:

• control of protection of confidential information from leakage through technical channels in:

- means and systems of informatization;

Technical means (systems) that do not process confidential

information, but placed in the premises where it is processed;

Premises with means (systems) to be protected;

Premises intended for conducting confidential negotiations (hereinafter referred to as protected premises);

• control of the security of confidential information from unauthorized access and its modification in informatization tools and systems;
• certification tests for compliance with the information security requirements of products used to protect confidential information (technical means of protecting information, secure technical means of processing information, technical means of monitoring the effectiveness of information protection measures, software (software and hardware) means of protecting information (hereinafter referred to as IPS) , protected software (software and hardware) means of information processing, software (software and hardware) means of information security control);
• certification tests and certification for compliance with information security requirements:

Protected premises;

• secure design:

- means and systems of informatization;

Premises with means (systems) of informatization subject to protection;

Protected premises;

• installation, installation, testing, repair of information security tools (technical information security tools, protected technical means of information processing, technical means of monitoring the effectiveness of information protection measures, software (software and hardware) information protection tools, protected software (software and hardware) means of information processing, software (software and hardware) means of information security control).

At the same time, the operation of information security facilities, in contrast to the operation of cryptographic protection tools, where the licensing authority is the FSB of Russia, does not apply to the licensed type of activity. This position of the FSTEC of Russia raises questions. Why is only the first stages in the creation of a protection system licensed - the design of a protection system and the installation of protection tools? Why is the daily work of specialists and information security services on the operation and control of the effectiveness of the information security system not subject to licensing? After all, it is no less important than the creation of a protection system, since the tasks of licensing certain types of activities are the prevention, detection and suppression of violations by a legal entity, its head and other officials of the requirements established by the Federal Law of May 4, 2011. No. 99-FZ "On licensing certain types of activities", other federal laws and other regulatory legal acts of the Russian Federation adopted in accordance with them.

By virtue of paragraph 1 of Art. 49 of the Civil Code of the Russian Federation, a legal entity may engage in certain types of activities, the list of which is determined by law, only on the basis of a special permit (license). The types of activities for which it is necessary to obtain a license are indicated in the Federal Law of May 4, 2011 N 99-FZ "On licensing certain types of activities", clause 5 of Art. 12 of which includes among these types and activities on TKRI.

The concept of "service" implies a certain type of contract (Chapter 39, Articles 779-783 of the Civil Code of the Russian Federation), that is, a multilateral transaction in which there must be another party (clause 1 of Article 154 of the Civil Code of the Russian Federation). But the concept of "work" is not defined in the law and can only be determined on the basis of many meanings in Russian: "occupation, labor, activity."

Thus, from the above wording, we can conclude that TZKI activities are subject to licensing both for third parties ("services") and for own needs ("works").

Accordingly, if an organization, within the framework of protecting internal confidential information, carries out work on its technical protection, it is obliged to obtain an appropriate license. For example, in relation to the protection of personal data, the operator does not have "own needs" for their protection, and cannot exist by virtue of law. The sole purpose of Federal Law No. 152 "On Personal Data" is to ensure the protection of the rights and freedoms of a person and citizen in the processing of his personal data. The law does not indicate other goals (including meeting the needs of operators). In addition to this, Federal Law 99-FZ “On Licensing Certain Types of Activities”, licensed activities include activities that may result in damage to the rights, legitimate interests, and health of citizens. The law does not distinguish between the interests of the subject of personal data (employee) and the subject of personal data (third party) on the constitutional right of a citizen to personal secrecy. The legislator (through the institution of licensing) protects any subject of personal data from the consequences of poor-quality performance of work on TZKI.

Administrative regulations of the FSTEC of Russia on the performance of the state function of licensing activities for TZKI (hereinafter referred to as the Administrative Regulations), approved by order of 28.08.07. No. 181 with the latest amendments dated September 30, 2011, in accordance with Order No. 515, the terms and sequence of actions (administrative procedures) of the FSTEC of Russia in the exercise of powers to license activities under the TZKI are determined. Licensing is subject to TZKI activities carried out by legal entities and individual entrepreneurs.

An analysis of the provisions of the Administrative Regulations shows that the procedure for obtaining a license for TZKI takes a lot of time, effort and money. In order to obtain a license for TZKI activities, it is necessary to confirm the possibility of fulfilling the license requirements and conditions determined by the Regulations.

The licensing requirements for the applicant for a license to carry out activities under the TZKI are (clause 5 of the Regulations):

a) the license applicant has a legal entity - specialists who are on the staff of the license applicant, who have higher professional education in the field of technical information security or higher technical or secondary vocational (technical) education and who have undergone retraining or advanced training in technical information security.

b) the license applicant (licensee) has premises for the implementation of the licensed activity that meet the technical standards and requirements for the technical protection of information established by the regulatory legal acts of the Russian Federation and belong to him on the right of ownership or on another legal basis;

c) the presence, on any legal basis, of production, testing and control and measuring equipment that has passed metrological verification (calibration), marking and certification in accordance with the legislation of the Russian Federation;

d) the use of automated systems that process confidential information, as well as means of protecting such information that have passed the conformity assessment procedure (attested and (or) certified according to information security requirements) in accordance with the legislation of the Russian Federation;

e) the use of programs for electronic computers and databases intended for the implementation of the licensed activity on the basis of an agreement with their right holder;

f) availability of regulatory legal acts, regulatory and methodological and methodological documents on the issues of technical protection of information in accordance with the list established by the FSTEC of Russia.

As can be seen, in order to fulfill the above requirements, an organization must have at least 2 specialists, which, in some cases (in the absence of a specialized higher education), will require their training in advanced training courses according to curricula agreed with the FSTEC of Russia in the amount of at least 72 hours. In addition, regulatory documents will be required, including limited access, as well as the availability on any legal basis (owned or leased for a period not less than the term of the license) of production, testing and control and measuring equipment that has passed metrological testing in accordance with the legislation of the Russian Federation verification (calibration), marking and certification. In addition to the above, it will be necessary to carry out the design, creation and certification of informatization objects (automated system and secure premises) intended for processing confidential information. This raises the problem of acquiring, on any legal basis, control and measuring equipment that the licensee will not need to provide services for TZKI. Moreover, most of these requirements are quite costly in economic terms, primarily for budgetary organizations in the field of education, medical care, housing and communal services.

The performance of the state function of licensing activities for TZKI in accordance with paragraphs 12-14 of the Regulations includes the following administrative procedures (Fig. 1):

• informing and advising on the procedure for performing a state function;
• consideration of an application for a license;
• verification of the possibility of fulfillment by the license applicant of license requirements and conditions;
• making a decision on granting a license;
• issuance of a document confirming the existence of a license;
• issuance of a duplicate and copies of a document confirming the existence of a license;
• renewal of the license;
• re-issuance of a document confirming the existence of a license;
• control over compliance by the licensee with license requirements and conditions;
• suspension, renewal of a license and cancellation of a license;
• maintaining a register of licenses;
• provision of information from the register of licenses.

An official of the FSTEC of Russia makes a decision to grant or refuse to grant a license within a period not exceeding 45 days from the date of receipt of the application for a license and the documents attached to it (clause 14.1 of the Regulations).

The grounds for refusal to grant a license are (clause 14.3 of the Regulations):

the presence in the documents submitted by the license applicant of false or distorted information;

non-compliance of the license applicant, objects owned by him or used by him with the license requirements and conditions.

A license to carry out activities for the technical protection of confidential information is granted for a period of 5 years (clause 14.4 of the Regulations). At the same time, since January 30, 2011, the amount of state fees has been changed: for granting a license - 2600 rubles and for extending the validity of a license - 200 rubles.

As can be seen from the scheme and procedures (Fig. 1), the licensing of TZKI is carried out by the central office of the FSTEC of Russia with the involvement of the departments of the FSTEC of Russia in federal districts, in contrast to the licensing procedures of the FSB of Russia, where the territorial departments of the FSB of Russia are responsible for licensing in their area of ​​responsibility. The duration of the TZKI licensing process can take from two to six months in time and entail significant financial costs, especially in the case of the acquisition of control and measuring equipment in the property.

Is it possible to get away from the need to license the activities of organizations and enterprises for TZKI? The recommendations of the FSTEC of Russia boil down to the need to conclude an agreement with an organization that has a license for TZKI, while the presence of this license from the operator is not a mandatory requirement.

The recommendations of the FSTEC of Russia to conclude agreements with licensees with less than 2,000 licensees in the register do not solve the problem of protecting confidential information. According to expert estimates, there are 5-7 million personal data operators in Russia alone, not counting operators who process other types of restricted access information subject to protection in accordance with federal law. In addition, the contract with the licensee is usually concluded only for a certain amount of work and services, as a rule, only for the creation of a system for protecting confidential information.

What risks arise for most organizations that do not have and do not plan to obtain licenses under the TZKI or receive the services of organizations that have such a license, given that the state policy and position of the FSTEC of Russia remain unchanged? Each organization must decide for itself whether it is necessary to obtain such a license. There are no administrative penalties for performing work without a license for TZKI activities by the FSTEC of Russia, and in the current situation it is unlikely that these penalties will appear, since in the conditions of the imperfection of our legislation on the protection of confidential information, the courts interpret the norms of federal laws and responsibility for their failure to comply differently . As a result, the severity of the Decree is offset by the non-binding nature of its execution. For example, article 14.1 of the Administrative Code of the Russian Federation provides for liability for "carrying out entrepreneurial activities without state registration or without a special permit (license)". According to Article 2 of the Civil Code of the Russian Federation, “entrepreneurial activity is an independent activity carried out at one’s own risk, aimed at systematically obtaining profit from the use of property, the sale of goods, the performance of work or the provision of services by persons registered in this capacity in the manner prescribed by law.” This alone suggests that Article 14.1 can only be applied to those who provide services and make money on ensuring the security of information, i.e. licensees of FSTEC and FSB of Russia. This article has nothing to do with the vast majority of organizations that process confidential information (restricted information that is not a state secret). According to many information security experts, for the majority of non-governmental organizations not related to the protection of state secrets, only forms of managing the protection of confidential information are really possible through the recommendatory use of regulatory legal acts, regulatory and methodological documents of regulators, organizational and administrative documents of organizations, the use of developed and tested in the interests of public authorities and their subordinate enterprises of systems and information security. The basis for the operation of confidential information protection systems in this case is the personal choice of the information owner of the degree of its protection and protection mechanisms. At the same time, according to the experience of countries with developed legislation in the field of information security, the determining factors are the risk of participants in information relations and their personal responsibility for the measures taken to protect confidential information. In Russia, for example, this approach is implemented when the Bank of Russia Standards are introduced in RF BS organizations, when the requirements for obtaining licenses for the technical protection of confidential information and the requirements for attestation of personal data information systems are not mandatory (in accordance with clause 9.6 of STO BR IBBS- 1.0-2010).

Alexander Katarzhnov

Candidate of Technical Sciences, Associate Professor, KNOU DO Educational Center "EUREKA"

Good day, dear readers!

Today, for the first time in a long time, I again decided to raise the topic of working with personal data, since I believe that not all issues have been clarified earlier, and innovations in our dynamic legislation are not long in coming. There are indeed many features. In particular, the Order of the FSTEC "On approval of the composition and content of organizational and technical measures to ensure the security of personal data when they are processed in ISPD" No. 21 dated February 18, 2013 appeared, the next amendments appeared in 152-FZ "On Personal Data", and of course, how As a result, the question arose again about the interpretation of certain requirements of our regulatory framework. All this, of course, requires some revision of the existing views on the protection of personal data and the actions of Persian operators. data. Especially in conjunction with the constantly changing views on this matter of the regulators - the FSTEC and Roskomnadzor. I wrote many of these things in an article about the new operator procedure here.

And now we will talk about the vital in our time and still not illuminated by me question: Does a PD operator need a license for the technical protection of confidential information? And if so, in what cases and why? If not, or if you really don’t want to, then how to properly explain yourself to the regulators. Questions, you will agree, are very relevant and very important. For obtaining such a license, even in its most simplified format, is oh, how not cheap, both from a financial point of view and from the point of view of the nerves and forces spent.

So. Do we need a license from the FTEK for the technical protection of confidential information, which we are actually required to carry out by the entire 152-FZ "On PD"? It is impossible to answer this question unequivocally for all possible situations. Therefore, we will analyze specific options.

To begin with, let's try to understand where the requirement to license TZKI activities came from? The thing is in paragraph 5 of part 1 of article 12 of the 99-FZ "On licensing certain types of activities", which directly states that activities for literally "technical protection of confidential information" are subject to licensing. Further, why are PDs such at all? Firstly, there is Article 7 152-FZ, the title of which alone ("confidentiality of personal data") already says a lot. And there is also Presidential Decree No. 188 "On approval of the list of confidential information" dated 03/06/1997, the first paragraph of which reads: "any information about the private life of a citizen, as well as those that allow him to identify his personality, is PD", and they are included in the list. It's clear. And finally, why does the operator's activity fall under the TKRI? Because 152-FZ obliges him to do this. That, in fact, is all. It would seem that there can be no questions here. The whole logic of the law is clearly traced, but not everything is as sad as it seems at first glance. Let's move on to those options.

The first and most common variant is we protect personal data for our own needs(i.e. their employees and / or their clients), which are processed solely for their own needs (or in the interests of the PD subject). To our great happiness, on May 30, 2012, the FSTEC on the website appeared Informational message No. 240/22/2222 "On the need to obtain a license from the FSTEC of Russia for the technical protection of confidential information." Its text is available, for example, . I will not bring it here (who is interested, will follow the link in the previous sentence), I will only say the meaning: if legal. a person carries out activities under the TKKI, which is not aimed at making a profit, providing services and is not contained in the constituent documents, then it is not necessary to obtain an appropriate license. Accordingly, the option "for their own needs" does not require the obligatory receipt of such a license. However, there are nuances here.

What to do if we do not want to use certified CIPF if clause 3 of part 2 of Art. 19 152-FZ requires this? This is also required by clause 13.d in PP No. 1119: "the use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such tools is necessary to neutralize current threats." This very "necessity" can only be determined by someone who is an expert in the field of information security, i. has a license for TZKI. ;) In addition, PP-1119 contains a requirement for compiling a threat model, which includes the concept of actual threats of 3 types. The difference in types is the presence of threats associated with undeclared capabilities in various kinds of software. If you face the truth, then NDV in both application and system software are always relevant and for everyone. But the 1st type of threats makes our ISPD of an incredibly high class, which entails the fulfillment of a whole bunch of protection requirements. How can we solve the problem of avoiding types 1 and 2 of actual threats? There are two options: either use all system / application software certified for NDV (which is unrealistic), or obtain a license for TZKI, which gives the right to conduct such expert assessments. In all other cases, long and unpleasant prairies with the regulator may arise. How to be? Everything is very simple. You can contact the licensee of the FSTEC for TZKI and ask them to provide services in this particular issue (analysis of current threats). As they say, cheap and cheerful. :) The issue with certified cryptocurrencies is solved in a similar way.

Option two - we protect / process the PD of another legal entity. person (his clients/employees). This is where it gets worse. In accordance with the same FSTEC information message, as well as the general legal reasoning above, a license will be needed. And there are no options here: either receive or outsource the processing of personal data to the licensee.

Option three - we provide services for the protection of PD (or TKKI), or the activity for the protection of PD is prescribed in the founding documents. Think, based on the text above, everything is clear. As for the constituent documents, it is easier, of course, to simply remake them than to suffer with all of the above. ;)

Important point: TZKI activities are precisely the design of a protection system (IP of personal data or anything else - it doesn’t matter), i.e. compiling a threat model, selecting elements of the information security system, etc.! The very operation of an already working ready-made system, for which everything has already been selected and all models have been compiled, is not protection and does not fall under the licensed activity! That's why the option with the involvement of a licensee to design a secure ISPD in the "most cheap" version - this, as a rule, is the most profitable and convenient(unless, of course, we talk about the processing of personal data for their own needs).

That, in fact, is all. I think that now, dear readers, you will no longer have questions about the need to obtain a license.

Sincerely,
Lysyak Alexander

FSTEC license - a special state permit that allows you to conduct legitimate activities that are directly related to the creation and use of software or innovative technologies. The licenses cover the storage of information data or the creation of databases for their storage.

FSTEC license in Moscow and other regions of Russia with the specialists of the AP-Rial group of companies - hassle-free obtaining a license. Information protection license - a full range of services in FSTEC licensing.

Licensing Authority: Federal Service for Technical and Export Control
License validity period: indefinitely.
Territory of action: All territory of the Russian Federation
License issuance period: 45 business days.

FSTEC license price (assistance in obtaining): from 250 000 r

The FSTEC of Russia license is available to applicants from various regions of the country, but the licensing authority is exclusively the Federal Service for Technical and Export Control, located in the city of Moscow. The period of validity of the official permit is defined as indefinite, and the geography of influence is limited to the official borders of the state.

The period during which the applicant receives permits is 45 days from the date of submission of documents to the controlling state authority.

Obtaining various types of FSTEC license

The licensing process can proceed in three ways:

1. Self handling. It is difficult to call this method optimal. An unprepared applicant, as a rule, misses a number of key points related to bringing the documentation into the required form and passing timely training for employees and the manager. In this regard, the process of obtaining permits may take more time, and, as a result, reduce the potential profit of the enterprise.
2. Partial transfer of powers for pre-licensing training to specialists. This is a more efficient method of going through the licensing procedure. The specialist oversees the process, directing the head of the company. But, it is worth noting that in this case, legal support cannot be complete, and, accordingly, there can be no guarantees of the result either.
3. Full support of the process. Obtaining a FSTEC license with the participation of specialists guarantees a successful result. We have not only qualified specialists with experience in conducting licensing cases, but also the necessary technical and regulatory framework to ensure that the applicant fully complies with the requirements of the controlling authority.

A full range of services allows us not only to help enterprises obtain the license necessary for their activities, but also to be prepared for possible inspections during scheduled or unscheduled inspections.

Types of FSTEC license

Federal Law No. 99 dated 4.05.11. "On Licensing Certain Types of Activities" clearly regulates the list of industries required for licensing. First of all, it is necessary to obtain a FSTEC license:

• to participate in government tenders;
• implementation of activities related to the development and production of CIPF;
• implementation of activities related to TZKI;
• when processing personal data.

Licensing by the FSTEC of Russia in the TZKI industry is regulated by Decree of the Government of the Russian Federation dated February 3, 2012 No. 79 “On Licensing Activities for the Technical Protection of Confidential Information”. The period of validity is indefinite, but enterprises in the course of their activities must be ready to confirm the requirements for licensees.

Licensing in the CIPF industry () is controlled by Decree of the Government of the Russian Federation dated March 3, 2012 No. 171 “On licensing activities for the development and production of confidential information protection tools”. The official document defines the requirements for applicants for this license.

Requirements for a FSTEC license in Moscow

In order for the applicant to receive official permission to operate in the industry, he needs documentary evidence of compliance with the following requirements:

• The presence of employees with higher education in the direction of "Information Security". It is permissible to attract specialists with secondary technical education of a similar profile, provided that they undergo professional retraining, lasting at least 360 academic hours (certificate of successful completion of training is required). It is also important to have work experience in the field of information security.
• The presence in the property or on a leasehold, sublease basis (it is necessary to provide a valid lease agreement) of the premises necessary for the implementation of professional activities. Workrooms must comply with applicable government regulations.
• Availability of the necessary equipment in the property or on a leasehold basis (presentation of a valid lease agreement is required). Each technical unit must be accompanied by verification certificates and the necessary certificates confirming the correctness of the data provided.
• Availability of up-to-date software necessary for conducting activities in the industry.
• Availability of regulatory and methodological documents with the signature stamp "DSP" and GOSTs.
• Availability of a certified premises and a certified workstation (AWP) in accordance with applicable requirements

The FSTEC license provides for the full compliance of the licensee and the training of the staff to carry out this activity.

Order of the Licensing Process

The license of the FSTEC of Russia with our participation is that our specialists undertake the following obligations:

• preparation of the necessary documentation and bringing it to the established form;
• holding if necessary;
• preparation and submission of an application to the licensing authority (regardless of the location of the applicant);
• certification of premises and workstations;
• obtaining documentary confirmation of the delivery of documents;
• carrying out procedures to eliminate the published shortcomings and comments, if necessary;
• obtaining official permission (license) and its transfer to the licensee.

Certain types of FSTEC licenses require an FSB license to work with information that is a state secret.

We guarantee applicants obtaining a license and full compliance of the enterprise with state requirements at all stages of its further entrepreneurial activity.

Participation in exhibitions and conferences in the field of information security

AP-Rial specialists regularly visit thematic exhibitions and conferences, thus they are always in the trend of all innovations in the field of information security. All the experience gained is always applied in practice. Our rich experience enables our lawyers to provide high-quality advice on what equipment an organization dealing with data protection or developing information security tools should have.

The other day, our employees visited the exhibition on information security from "INTERPOLITEX - 2018". The organizers of the exhibition were the forces of the Ministry of Internal Affairs (MVD), the Federal Security Service (FSB) and the National Guard. Photo report can be viewed on the page.