Classification of personal data information systems
Resolution No. 1119, adopted on November 1, 2012, approved the requirements for the protection of personal data (PD) during their processing in information systems. Also, this standard defines several levels of security for such information.
The company using personal information determines the level that must ensure its security, and draws up the corresponding act.
Personal data protection system
This system is made up of organizational and technical measures, determined depending on the real threats that occur during the processing of PD and the use of information technology in information systems.
Security must be provided by the operator involved in the processing of PD. This can be a specific person who has been assigned responsibilities, or who is carrying out the instructions of the operator under the contract (authorized person). The agreement between the company and authorized persons is drawn up taking into account the obligation of these persons to ensure the safety of PD during their processing in the personal data information system (ISPDN).
The means of protecting the ISPD are selected by the operator, taking into account the standards introduced by the FSB of the Russian Federation and the FS for technical and export control in accordance with Part 4 of Art. 19 of the Law "On Personal Data".
ISPDN has the form of a system in which special categories of data are processed related to personal data on racial, ethnic grounds, political, religious, philosophical views and beliefs, health status, personal life of each PD subject.
An IS for processing biometric information has the form of a system in which information is processed on the physiological, biological parameters of the subject, which makes it possible to determine his identity and used by the operator for these purposes. But data related to a special type of PD is not processed.
Informsystems with publicly available data process information that is obtained from publicly available PD sources formed in accordance with Art. 8 of the law on personal data.
The information system, which processes the PD of employees of the enterprise, performs all actions with their use only in relation to its employees. In other cases, ISPDN is considered an information system, in which information about entities that are not employees of the enterprise is processed.
Actual threats, types
Threats are considered relevant, which are a group of conditions and factors that create a certain danger of unauthorized (also accidental) access to PD while working with them in IS. Such actions can lead to the fact that sensitive confidential information can be destroyed, altered, blocked, copied, provided to someone, distributed or even used to perform illegal actions.
Legislation identifies three types of threats that may be relevant to personal data:
- the threats of the first type in the information system include those that in this system are supplemented by threats associated with undocumented capabilities in the system software that is used in this IS;
- threats of the second type are threats that are relevant to IS, including those associated with undocumented capabilities using application software that is used in IS;
- third-level threats in IS that are not associated with undocumented capabilities in the system and application software that is used in this system.
The operator independently determines for himself the type of threats that are relevant to the safety of PD, taking into account the possible damage they can cause, and focusing on paragraph 5 of part 1 of Art. 18 of the Federal Law on personal data, as well as on part 4 of Art. 19 of the same document.
ISPD are classified according to structural features and are:
- autonomous type, located within one workstation;
- local type, in the form of a group of automated workstations, united into one local network;
- distributed type, in which communication between workstations, local area networks, interconnected, is carried out by remote access.
The mode of work with PD in ISPDN divides them into single and multiuser. The former are quite rare, usually within one workplace there can be two interchangeable people.
Multi-user ISPDs are subdivided into:
- not restricting access rights;
- delimiting these rights.
- systems located on the territory of the Russian Federation;
- systems located in whole or in part outside of Russia.
During the processing of PD in information systems, it is envisaged to set four levels of security for this data.
To ensure the first level , at least one of the following conditions must be met:
- for such an IS, type 1 threats are relevant, the IS processes special categories, biometric or other PD;
- the relevance of threats of the 2nd type with the processing in the IS of data of special categories of personal data relating to more than 100 thousand subjects not related to the operator's employees.
It is necessary to provide the second level if at least one of the conditions is met:
- The IS is exposed to type 1 threats and is designed to process publicly available PD;
- threats of the 2nd type are possible when the information system processes special categories of PD of the operator's employees, as well as special categories of data of no more than 100 thousand subjects who are not considered employees of the enterprise;
- possible threats of the 2nd type with the processing of biometric PD;
- in case of threats of the 2nd type and the processing by the information system of publicly available data concerning more than 100 thousand subjects that are not related to the operator's employees;
- in case of type 2 threats and the processing of other categories of personal data exceeding the number of 100 thousand subjects of these data, not related to the employees of the enterprise;
- for ISPDN with actual threats of the 3rd type with processing of special categories of personal data in it for more than 100 thousand subjects who are not employees of the company.
It is required to create effective protection for personal information using the 3rd level , if one of the conditions is met:
- there are threats of the 3rd type, processing by the information system is carried out according to the publicly available PD of the company's employees or publicly available PD exceeding 100 thousand entities that are not employees of the enterprise;
- threats of the 2nd type are relevant for the information system that processes other categories of PD of the operator's employees or other categories of PD up to 100 thousand entities that do not belong to the operator's employees;
- possible threats of the 3rd type for the information system, which processes special categories of PD of the operator's employees or the same data of up to 100 thousand entities that do not belong to the operator's employees;
- type 3 threats when processing biometric PD;
- type 3 threats with the processing of other categories of personal information over 100 thousand PD subjects, not the operator's employees.
The fourth level of ISPD is provided if one of the conditions in the information system is present:
- the presence of type 3 threats during the processing of publicly available PD;
- there are threats of the 3rd type when processing other categories of PD of the operator's employees or entities that are not his employees, in the amount of up to 100 thousand people.
To ensure the 4th level of PD security, the following requirements must be met:
- organize a regime that ensures the safe use of the premises, which are used to accommodate the information system. Such a regime should prevent attempts of unauthorized access or stay in them by people who have no right to be in them;
- personal data carriers need to ensure their safety;
- the head of the operator is obliged to approve a document establishing the list of employees who have access to PD, which are processed in the information system, and perform their duties using this data;
- information security tools must be used that have been assessed for compliance with the requirements of the laws of the Russian Federation related to information security, if the use of these tools is required to neutralize current threats
The third level of PD security during their processing in the IS should be ensured by the above requirements, as well as by appointing a specific official who will be responsible for ensuring PD security in the information system.
The second level of ISPDN, in addition to all the listed requirements, should be provided by restricting access to the content of the electronic form of the message log. Access should be allowed only to the operator's officials (authorized by the operator) who use the information available and coming in the log to perform their work or official duties.
In order to provide the first level of PD security during their processing in information systems, in addition to all the requirements described in this section, additional conditions must be met:
- registration in the electronic journal in the automatic mode of changing the powers that are assigned to the operator's employee for accessing the PD stored in the information system;
- formation of a subdivision in the structure of the operator, which should be responsible for the creation and observance of PD security conditions in the information system. You can assign such responsibilities to a specific structural unit.
The operator must ensure control over compliance with all requirements established by the legislation of the Russian Federation in relation to the use of personal data. This can be done both independently and with the involvement of licensed legal entities, individual entrepreneurs under an agreement for the organization of technical protection of personal information and confidential data. Such control should be carried out once every three years. The operator sets the terms independently.
ISPD classification act
The act should determine the structure of the entire PD system, as well as the mode in which confidential information will be processed. This document is classified as confidential and must be assigned an account number.
To carry out the classification, the operator must create a special commission at the enterprise. It must include a mandatory person responsible for the protection of personal data. The commission is appointed by order of the owner of the enterprise. This body should carry out its activities taking into account the Regulations on such a commission. The results of its work are formalized by the act of classification of ISPD. The act signed by all members of the commission is approved by its chairman.