Protection of personal information
Solutions for the protection of personal data in Russian companies and institutions are formed based on organizational and technical measures. They must comply with the norms of legal acts: the Constitution of the Russian Federation (Article 24), Federal Law No. 152-FZ "On Personal Data" and special requirements of regulators. The functions of regulators are performed by:
- Federal Service for Supervision of Communications, Information Technology and Mass Media - Roskomnadzor;
- Federal Service for Technical and Export Control - FSTEC;
- Federal Security Service - FSB.
Roskomnadzor monitors the implementation of legislation relating to personal data in general, FSTEC and the FSB formulate requirements for methodological, technical, and organizational conditions for the security of information systems for processing personal data.
What is personal data?
The definition of personal data (PD) is contained in Law 152-FZ.
The key feature of the interpretation is the phrase “any information”, that is, the law allows all organizations to be registered as “personal data operators”. The logic is clear. When getting a job, for example, a person transfers all information about himself to the employer, and when concluding, say, an agreement with an individual, he receives and processes personal data. Government agencies, banks, online stores, social networks are just a few examples from an extensive list of PD operators.
Sanctions for violation of the rules of the law in the field of processing and protection of personal data range from fines (since July 1, 2017, the sizes of fines have increased) to administrative liability, and criminal prosecution is not excluded.
Violation of the procedure for handling personal data also threatens the loss of business reputation. Revealing such facts in a company often becomes a reason for customer churn. This means that it is a vital necessity for every company that directly or indirectly operates with personal data to comply with the requirements of 152-FZ and to comply with the instructions of the regulatory and control structures in the field of personal data.
There is no one-size-fits-all approach to meeting the requirements of all organizations that are subject to regulatory control. According to the law, personal data is divided into four categories. Companies form a personal data protection system depending on the category; accordingly, the requirements for the operator also differ.
The most difficult and costly process is the introduction of a full-fledged complex of ensuring the security of the personal data information system (ISPDN), which processes information about the race and nation of the subject, faith, health, intimate life, political and philosophical views. All of the above data are included in the group of special PD. The law requires the protection of information from this category to be especially careful.
The requirements of the law to ensure security and biometric PD are high: biological and physiological characteristics that allow the identification of the data subject.
A company that has received the client's written consent to process the full name, date, and place of birth, home address, occupational data, contact information becomes the operator of publicly available PD. Such information is used, for example, to compile telephone directories. The legislation sets minimum requirements for the protection of publicly available personal data in comparison with other categories.
The fourth category - other PDs - includes all information that cannot be classified as special, biometric, or special, but by which it is possible to identify the data subject. Protecting other PDs is easier than biometric or special ones. However, the security requirements are higher than in the case of data processing systems from the public domain.
According to the government decree of 01.11.2012 No. 1119 "On approval of requirements for the protection of personal data when processing them in personal data information systems", operators, when creating protection mechanisms, must take into account the number of PD subjects. The legislation divides ISPD into those in which data are processed by less than 100 thousand and more than 100 thousand subjects.
It is necessary to take into account the possibility of the presence of an internal intruder in the infrastructure of complex protection of ISPD. Any employee can cause damage to personal data, intentionally or through negligence.
Measures that help prevent unauthorized access, enhance the reliability and resiliency of ISPD, preserve the integrity and availability of information within the system are listed in 152-FZ. The law prescribes:
1. Determine the scale of the information system and the category of personal data, simulate security threats.
2. Implement organizational and technical security mechanisms by four levels of security. The definition of levels is contained in government decree No. 1119.
3. Use information security tools, the capabilities of which are confirmed by the FSTEC and/or FSB certificates of conformity.
4. Before starting PD processing, conduct a comprehensive security audit, including an audit of the information system, security components, compliance with the requirements of internal organizational and methodological orders.
5. Introduce a system of accounting for all types of limited-use information carriers, including PD.
6. Introduce the functions of backup and restoration of personal data in the information system in case of unauthorized changes or destruction.
7. Establish the rules for the operator's employees' access to personal data in the IS. Access levels should be segmented based on job responsibilities.
8. Implement tools for auditing and logging employees' actions with personal data.
9. Monitor the implementation of security rules for the operation of personal data and the continuity of work of protective hardware and software services ISPDN.
Federal law designates a general "protective field" of personal data. Specific norms are contained in the FSTEC order of 18.02.2013 No. 21. For example:
1. In the PD processing system, identification and authentication of users, system components, and personal information - access objects, which must be protected, must be applied. The implementation of the requirement involves the comparison of unique identifiers that are assigned to objects and subjects in the ISPD. This means that it is necessary to use the mechanisms of authorization and differentiation of rights.
2. The software environment should be limited, which implies the presence of a fixed list of system and application software. The user must be locked out of the authority to change the set of system components and permitted software. The user has the right to run and use the software within his role. This will protect against accidental actions of employees that can damage the ISPD.
3. Storage and processing of PD on removable media are possible only with a well-functioning device accounting.
4. The operator must ensure continuous monitoring of safety: keep an audit trail of events to track what happened and what measures were taken. At the same time, you should reliably protect the audit log itself from modification and deletion.
5. The PD protection system must include anti-virus software systems. Malicious software often causes leaks of confidential information and partial (less often - complete) failure of information infrastructure.
6. Along with antivirus, it is recommended to use intrusion detection and prevention systems. This allows you to analyze and identify facts of unauthorized access at the network or computer system level, attempts to abuse authority, or the introduction of malware and take measures to eliminate threats: informing the security officer, resetting the connection, blocking traffic, etc.
7. Unauthorized changes, damage to the information system, and PD are also recorded by the integrity assurance systems, which, when used in ISPD, must have the functions of restoring damaged components and information.
8. The level of security of the ISPD is subject to regular control. The deployed software components, hardware tools, and installed settings must ensure continuous and complete protection of information processing and storage procedures based on the expert class of the information system.
The list of measures established by FSTEC for the implementation of the ISPD security system is not limited to several points. Order No. 21 contains requirements for virtualization tools, communication channels, ISPD configuration, classes of computer equipment, anti-virus systems, and other protection parameters. In addition to the FSTEC order, when introducing a personal data protection complex, the organization - the data processor must be guided by the order of the FSB of Russia dated July 10, 2014, No. 378.
It is impossible to develop and implement a full range of measures to protect personal data without mastering the regulatory framework, skills in setting up technical means, and knowledge of the principles of software that ensures information security. This means that it is at least short-sighted to protect personal data with the help of one employee. The only mistake at any level runs the risk of fines from regulators and loss of customer loyalty.
An employee without information security competencies can understand the legislation and determine the category of personal data. The step-by-step instructions available on the Web will help develop regulations for informing PD subjects about the collection of information and draw up a notification to Roskomnadzor about the company's activities as a PD operator - these are standard documents. Defining roles, delimiting access, and fixing which employees have access and which operations are entitled to perform with personal data is an easy task for specialized software.
At the stage of drawing up a security policy and identifying actual threats, one cannot do without the involvement of a specialist with specialized knowledge. The cycle of implementation of software and hardware systems from selection to "combat" use of software and equipment requires an understanding of the FSTEC and FSB documentation. The specialist should not only be familiar with the classrooms of SVT, antiviruses, and firewalls but also know how to guarantee confidentiality and ensure reliable communication for ISPD segments.
The problem is that even an IT or information security specialist with the required qualifications will not be able to implement and maintain an information security subsystem in the ISPD without observing several conditions. Working with technical protection means is an activity licensed by FSTEC. This means that the PD operator will face the task of obtaining a license from the regulator.
Large organizations should hire a staff of information security specialists, fulfill the conditions to obtain an FSTEC license, and then independently create and maintain a personal data protection system.
It is economically unprofitable for small organizations - PD processors to maintain an information security staff. A less costly, more reasonable, and faster option would be to attract FSTEC licensees. These are organizations that are professionally engaged in the protection of information. Licensees' specialists already have all the knowledge of the regulatory and technical base, have experience in creating complex security systems, including information.