To ensure the protection of confidential information, organizations must comply with the requirements established by the laws of the Russian Federation. It is necessary to have a set of standard documents on information security, including these requirements. They are taken as a basis in the development of methods for protecting confidential information used in organizations. Such documents include instructions, rules and regulations, drawn up in accordance with certain templates.
What issues are taken into account in templates
The documents reflect the general mandatory requirements of the Russian legislation on information security, as well as issues related to the individual characteristics of the activities of these organizations.
In templates, all white papers are divided into the following groups:
- general - applies to all information systems;
- for GIS and MIS (state and municipal information systems);
- PD - everything related to the protection of personal data;
- CIPF - documentation related to means of cryptographic information protection;
- related to security threats, their modeling and elimination.
General documents
This group includes:
- orders on the appointment of persons responsible for ensuring security and monitoring the effectiveness of information protection. The company must have an information security administrator, whose duties include technical security support, as well as an employee who controls the processing of information on paper. For each of them, an instruction is developed with a detailed description of the tasks;
- an order to create an organization to respond to possible incidents. The groups are responsible for detecting violations (failure in the operation of technical security means, unauthorized access to the information system, the introduction of viruses). Their responsibilities include analyzing violations, taking measures to eliminate the consequences and prevent the recurrence of incidents;
- instructions for working with classified information. It is created to familiarize employees with the norms of Russian legislation and measures of responsibility for violations committed;
- information security policy document. It talks about the delimitation of access to classified information, about the rules of interaction with other networks. There is a list of acceptable software, the procedure for backing up data is described;
- an order to create a "control zone" into the territory of which personnel are prohibited from entering without admission to classified information.
In the same folder of templates, there are logs of records of hard drives, laptops, memory cards and other information media, as well as a plan for monitoring the effectiveness of protection.
GIS documentation
This includes an order and an act on the classification of the information system, determining the level of their security and assigning, respectively, 1, 2, 3 classes.
To put the systems into operation, you must have an order on their compliance with information security requirements and the issuance of an appropriate certificate to the organization.
PD documentation
This group of documents includes:
- regulation on the protection and processing of personal data;
- rules for submitting and considering requests for personal data in order to clarify or disagree with their processing. The rules should stipulate the terms for considering such requests, create response templates (both positive and negative) and their justification;
- an order to approve employees with access to personal data for their automated processing and study on paper. The document indicates a list of names of persons who have access to personal files of employees, client data;
- orders on the methods and places of storage of paper and electronic media of personal data;
- logs of documents and devices with PD, requests for personal data, registration of visitors, as well as used cryptographic protection means;
- acts on the procedure for the destruction of personal data and their removal from storage devices;
- instructions for the information security administrator on the rules for making changes to PD, their copying and anti-virus protection.
CIPF documentation
This includes document templates that define the procedure for working with cryptographic information protection tools. The kit includes an agreement on the time of use of cryptographic information protection tools, an order on the development of instructions and logs for accounting for cryptographic tools that ensure information security of organizations. On the basis of this order, instructions are created on the rules for handling various means of cryptographic protection for the person responsible for their use.
A list of employees who have access to the CIPF is compiled. Registration logs of the cryptographic data protection system and employees allowed to work with them are set up. The form of an act regulating the procedure for the destruction of key documents related to the use of cryptographic information protection tools is being developed.
The same group includes applications on the procedure for personnel access to the premises where cryptographic information protection tools are used, and the log for issuing keys from this room.
***
The templates are compiled taking into account the general legislation on safety standards and rules for the protection of confidential information. They reflect the requirements for ensuring information security, protecting personal data. Responsible persons who develop instructions, journals, accounting forms and other documentation take into account factors specific to this enterprise and make relevant changes to the safety documentation.
17.12.2020
