FSTEC recommendations on personal data protection
Personal data of citizens, authorized legal entities and individual entrepreneurs have a special protection regime. It is determined by federal laws and regulations. The technical aspects of security, which determine the requirements for the methods and technical means used for their processing, are established by orders of the FSTEC of the Russian Federation.
The Federal Law "On Personal Data" assumes that information about citizens, their personal life, property status and health, stored and processed in information networks, cannot unlawfully fall into the possession of third parties. The imperfection of information processing systems often leads to leaks of important information, including personal data. Leaks can be both accidental and deliberate. To avoid such situations, which can cause harm to citizens, special requirements for information systems are being developed. For organizations recognized as operators of personal data in the manner prescribed by law, technical requirements for their processing systems are established by orders of the FSTEC of the Russian Federation.
Now the order No. 21 is in force, which came into force in 2013, defining technical and organizational measures to protect personal data. It has been repeatedly supplemented and changed, focusing on the requirements of the moment. The last revision was adopted in 2017. The structure of the document, in the annex that defines the scope of measures, contains recommendations regulating:
- identification and authentication of persons whom operators allow to process personal data;
- management of the access system to them;
- the software environment and its limitations;
- physical protection of computers containing information related to personal data;
- the procedure for registering security incidents;
- the procedure for organizing anti-virus protection;
- methods of fixing penetration into a protected information perimeter;
- control over the security of personal data;
- protection of technical means.
The choice of measures for organizational and technical protection of personal data depends on the security class of the information system, determined according to the rules established by Government Decree No. 1119.
Application of the order of the FSTEC RF
The release of the document in 2013 was approved by the operators of personal data. Before specifying the required measures, the operators existed in conditions of uncertainty, not knowing to what extent the technical measures and protective equipment used by them corresponded to the requirements. The document fully complied with the requirements of the moment and took into account such changes in the information environment associated with the emergence of new technical means as:
- virtualization of personal data;
- cloud storage;
- mobile platforms.
But the order also had drawbacks. He did not require spending certain funds on the protection of personal data without fail, allowing a choice from the existing list, but some norms were considered redundant by the community of operators. The order of the FSTEC of the Russian Federation introduced 15 groups of technical and organizational measures for the protection of personal data, each group contains from 2 to 20 separate decisions. For each measure, it was established whether it was basic or mandatory for application or compensatory, optional, but reinforcing the level of protection. There are only compensating measures that will not be basic for any of the four security levels.
After the FSTEC order came into force, the operator's actions became more specific than before. Now, without additional consultation, when setting up his information system for protecting personal data, he has the right to act according to the following algorithm:
- examines the Decree of the Government of the Russian Federation No. 1119 and the definition under what level of security its system for the protection of personal data falls. The level depends on the number of people whose data is being processed and their category;
- selects from the editions of the FSTEC of Russia all those measures that are marked with a plus for this level of security (the so-called basic measures, formally mandatory for use);
- excludes those measures that cannot be applied due to the lack of appropriate technologies at the operator's disposal (for example, virtualization tools);
- examines the remaining basic measures and imposes them on a previously developed model of actual threats to the security of personal data. If all threats are not covered by the basic measures, add some of the recommended compensating measures to them;
- forms the final list of measures;
- draws up a schedule for their implementation and begins to implement it.
On their own, this strategy is not always feasible, and operators have to apply for the purchase of services for setting up a personal data protection system from professional participants in the information systems development market.
Difficulties in the implementation of the FSTEC recommendations on the protection of personal data
Despite the clarity and clarity of the recommendations, during their implementation there are some difficult points noted by operators and programmers. Among them:
- the wording of order number 21 is often unclear and vague, written by non-professional programmers. They are subject to double interpretation and often lack the necessary explanations;
- it is unclear whether the organization itself can carry out work on setting up the system in the absence of a FSTEC license or is obliged to involve a licensed organization for all work. The practice has taken the path of allowing self-configuration of the personal data protection system even in the absence of a license;
- the need to assess the personal data protection system every three years and the lack of a methodology for such an assessment. FSTEC RF inspections are not, in fact, an assessment.
Despite some shortcomings, the recommendations of the FSTEC of the Russian Federation on the organization of an information system for the protection of personal data helped to restore order in the market and helped in the fight against the most pressing security threats.