In their activities, enterprises of any form of ownership are guided by the norms of federal laws of the Russian Federation and legal acts of the industry and regional levels.
Taking into account the specifics of activities, on the basis of basic laws, internal regulations are developed, with which employees must be familiarized.
In fact, local legal acts specify the responsibilities, requirements, rules for access to information, the dissemination or destruction of which may adversely affect the business reputation of the enterprise.
Let's deal with a package of information security documentation aimed at ensuring the safety of data.
Requirements of the law for the completeness and content of local acts on information security
An integrated approach to solving the problems of confidential information safety allows to guarantee the integrity of data and prevent its loss, when organizational measures are carried out along with the use of technological means.
Before deciding on an information security policy, managers must identify potential threats that arise during the development, use, and transfer of valuable information.
There is no exact list of internal documents for organizing work on information protection in legislative acts. Therefore, the lists differ depending on the type of activity of the company.
Let's highlight the documents that establish the procedure for carrying out measures to protect data, the presence of which will help to avoid troubles during security checks by various regulatory authorities. They can be prepared according to templates, specifying the nuances associated with the company's activities.
1. Provisions:
- on the protection of personal, secret, confidential information;
- on the rules for using the internal information network, the use of Internet resources.
2. Orders:
- on the appointment of persons in charge to ensure the security of personal data processing;
- on the rules for storing electronic and paper carriers of valuable information, determining the procedure for access to them;
- on the creation of a commission that classifies the system and assigns it an appropriate protection class.
3. Job descriptions of specialists responsible for software, the operation of technical means that control the availability of information.
4. Security threat model based on the analysis.
5. Approved list of persons with access to information of strategic importance .
6. Rules:
- conducting the user identification procedure;
- installation (installation) of software;
- backing up databases, their recovery in the event of emergency situations.
7. Forms of accounting logs:
- receiving / issuing removable data carriers;
- technical means for processing and transmitting information;
- conducting briefings on data protection, safe use of personal computers;
- testing means of ensuring confidentiality, information protection;
- planned measures to prevent theft, unauthorized access to classified information, identify potential threats.
Optionally, the organization must have local documents on the processing, use and storage of personal data (based on Federal Law No. 152), on the use of cryptographic means to protect the system.
For internal documents to really help ensure the reliable operation of the system, it is important that they are developed with the participation of information security specialists.
17.12.2020
