Classes of personal data protection
Personal data (PD) protection parameters are a set of certain conditions for compliance with the requirements of legal norms, which makes it possible to effectively protect information systems containing, processing and using this information from unauthorized access.
The main personal data include name, date of birth, address of residence, property status, education, membership in any profession. The operators of this and many other data are government agencies, municipal authorities, individuals and legal entities that process PD.
The subjects of PD are individuals. The operator is obliged to create the necessary conditions for the protection of this information in accordance with the norms of the legislation of the Russian Federation.
Decree No. 1119 of December 1, 2012, instead of the previously used classes of personal data information systems (PDIS) in Russia, the levels of PD security are applied. This document defines specific requirements for the protection of PD when working with them in information systems and for the levels of their security.
The level of security depends on:
- data categories;
- actual threats;
- the number of people whose PD processing is carried out;
- contingent of citizens - subjects of these data.
Informsystems PD are divided into four categories:
- Biometrics contain information about the biology and physiology of the subject, with the help of which it becomes possible to identify his person.
- Specialties include race and nationality, political preferences, religious or philosophical beliefs and beliefs, information about physical and mental health, sexual choices and life.
- Information about the main personal data, which is the property of the broad masses due to easily accessible sources in which they are stored and processed, is classified as publicly available.
- Other ISPDs use data that are absent in the previous groups.
The volumes of processed personal data in ISPD are divided into two groups: up to 100,000 people and more than 100,000.
By the form of interaction between the operator and the subjects, work with PD is divided into two types:
- work with PD employees;
- work with other people's PD.
The current threats to the security of personal data include intentional or accidental unauthorized access, as a result of which data can be destroyed, falsified, altered, blocked, copied, disseminated by the media, etc.
The ability to determine the types of existing current threats is provided to the operator himself with the involvement of information security specialists.
The current types of threats include:
- undocumented capabilities of the system software ISPDN, which allow unauthorized entry;
- undocumented capabilities of application software;
- other threats.
PDIS security levels
In total, there are four levels of protection (LP) PD.
LP-1 is installed:
- if there are type I threats and the information system works with special, biometric or other categories of personal data;
- if there are type II threats and the information system works with special categories of personal data for over 100 thousand citizens.
LP-2 is installed in case of threats of the following types:
- I and handling publicly available personal data;
- II and working with the personal data of the operator's employees or when working with a special category below 100 thousand people;
- II and work using biometric personal data;
- II and the processing of publicly available personal data with an amount of 100 thousand people (without operator personnel);
- II and work with other types of PD with a number of 100 thousand people (excluding operator's employees);
- III and work with a special category of more than 100 thousand people (not counting the operator's personnel).
LP-3 is installed in the presence of the following types of threats:
- II, including work with publicly available PD with the number of people up to 100 thousand people;
- II with work with other categories up to 100 thousand people;
- III with the processing of special categories up to 100 thousand people;
- III using biometric PD;
- III with work with other categories exceeding 100 thousand people (except for the operator's personnel).
LP-4 is installed in case of threats:
- III type and work with publicly available information;
- III type and processing of other categories less than 100 thousand people.
Personal data protection requirements for existing security levels
|Prohibition of the presence of unauthorized persons in the places of PD processing||+||+||+||+|
|Safety of data carriers||+||+||+||+|
|Drawing up a list of employees by management who have free access to personal data||+||+||+||+|
|Use of legally certified data protection devices||+||+||+||+|
|Appointment of a responsible employee for the proper provision of personal data protection||+||+||+||-|
|Limiting the availability of the electronic message log||+||+||-||-|
|If the official powers of an employee change, then an automatic entry is made in the electronic security log||+||-||-||-|
|The institution that processes PD should have a department dealing with security issues||+||-||-||-|
If the security level of PD has already been established, it becomes possible to select appropriate organizational and technical measures to ensure PD security in accordance with Order No. 21 of 18.02.2013 FSTEC RF.
The requirements are enforced by the operator himself, or legal entities or individuals licensed for technical methods of protecting confidential information are involved in this work under contracts. The PDIS operator determines the level of PD security and draws up the corresponding act.
Compliance with the prescribed safety standards should be checked at least once every three years.