Personal data protection issues
The Constitution of the Russian Federation has secured the democratic path of development of our state, the main value of which is a person and the protection of his rights. But even today some issues remain unresolved, including ensuring the right of citizens to privacy and the problems of protecting personal information.
In 2006, the Federal Law of the Russian Federation No. 152 "On Personal Data" was signed, according to the stricter requirements of which, the databases designed for the accumulation, storage or issuance of personal data were modernized. The requirements for the protection of personal data are detailed in:
- Regulations on the security of personal data information systems, approved by Decree of the Government of Russia No. 781 in 2007.
- Joint order of the FSB, the Ministry of Information and Communication, FSTEC No. 55/86/20 2008.
- Internal instructions of the FSB and FSTEC.
These requirements for the protection of personal data apply to all companies, institutions and organizations and are aimed at preventing leaks of confidential information.
Personal information protection issues
There is a list of common problems related to the protection of personal data due to organizational and technical aspects.
According to the Decree of the President of Russia No. 188, which approved the list of closed data subject to legal protection, this includes personal data. Therefore, their protection requires a FSTEC license to organize the security of confidential data. FSTEC RF imposes similar requirements to operators of information databases of 1, 2 and 3 classes. They apply to most commercial and government agencies. To use the means of cryptographic protection of the processed confidential data, you need an FSB license.
To obtain such licenses, employees of the organization must have the appropriate qualifications and work experience. You will also need specialized equipment and premises, which are difficult to provide in small companies.
Another common problem is the stringent mandatory requirements for personal data protection systems. Protection of personal data information systems of the 1st class is equated to the protection of information containing state or commercial secrets. A mandatory requirement is the protection of confidential databases from leaks due to electromagnetic pulses of computers and communications.
The protection of the 1st class includes databases of personal data, as well as databases containing and processing a large amount of information at the same time. Such databases are found in most corporations (private and municipal). And the FSTEC standards governing the procedure for processing personal data are marked with a stamp “For official use”. These acts can be obtained by operators of personal data and organizations that ensure the protection of personal data under the FSTEC license.
One of the problems of protecting confidential information, which is personal data, is the lack of certified computer programs. The offered programs do not meet the requirements for levels 1 and 2 of personal data protection. For example, certified programs for the protection and management of databases (MySQL open source) are not represented on the Russian market, and the licensed Microsoft Windows operating system is applicable only for protecting information databases up to level 2. An unsolved problem remains database protection when using 64-bit operating systems and operating systems Unix and Linux.
The proposed licensing protection of personal data does not comply with the requirements of regulatory enactments or are inapplicable in the conditions of storing and processing large amounts of data, since they do not meet technical requirements. For example, Secret Net database security software requires hardware components that cannot be installed through the blade.
And the programs used when working with personal data are checked before installation for undeclared features. To carry out this check, the source codes of the programs are provided, on which far from all companies producing software for PCs, especially foreign ones, agree.
Before starting to work with information databases of personal data, they confirm whether the protection meets the requirements for 1, 2 and 3 classes. For this, the data processing system is certified. If earlier such a procedure was carried out only in state institutions, today checking the level of protection of personal data is mandatory for all organizations. Based on the results, a certificate is issued, which is valid for three years. And for making adjustments (including installing new programs, rearranging the computer from one office to another), you need to agree with the body that checked the security of the database.
Another problem is the insufficient number of licensed Russian companies specializing in the provision of services for the technical protection of confidential data, which are unable to meet the increasing demand for technical protection of personal data every year. And the licensing procedure is not applicable to a large number of those wishing to obtain a certificate for working with personal data.
Organizational and technical solutions
Organizations specializing in the processing and storage of personal data use automated databases. These are computer databases, communication with which takes place through technical channels. That is why the issues of personal data protection, information processes, as well as the actions of state norms regulating relations between an employee and an employer remain relevant. The solution to this problem is never segmental. A set of measures is required to protect (technical and legal) personal data of employees and customers of the organization.
Despite the problems, this task is solvable. There are two options for protecting the processed and transmitted personal data, taking into account the requirements of the law and the company's budget.
Reducing the cost of protecting confidential databases will allow competent preparation and organization of the entire information system. In the corporation, it is advisable to divide the databases into territorial ones, which will reduce the amount of personal data processed in each database. As a result, their safety class will decrease. And the use of encrypted identifiers will depersonalize the transmitted personal data.
The terminal access technique used in personal data processing programs reduces costs. When using this technology, information is processed on the server, and data is output and displayed through workstations.
The use of this technology makes it possible to downgrade the security class of workstations to the third and reduce the cost of protecting and attesting the data processing system. Using this technique, the company saves on the acquisition of complex computing equipment and management of information databases, thanks to the decentralization of the information base and the reduction of requirements for the technical characteristics of user computers.
The introduction of new programs for processing personal data using programs with built-in licensed protection, which have passed certification for the requirements for secure data transfer and checked for undeclared capabilities, reduces the cost of purchasing additional software in the future and paying for training of company employees. Also, upon agreement with FSTEC, it is allowed to use programs that have not passed the test for undeclared capabilities.
Additionally designate employees responsible for the security of personal data. In corporations, it will be more economical to create their own information security department, obtain the necessary certificates and licenses, and independently protect databases.
Next, they clarify what personal data the company requires. The higher the degree of processing of employee and customer data, the more complex the process of protecting it. A more enhanced protection option is provided for data relating to the health and personal life of employees or customers - political and religious views, nationality, family relations, but the data required to identify a person does not need such protection.
The company's personnel, who ensure the safety of the personal data of employees and customers, selects data that is not required for the company's work, excluding it from the amount of information collected and processed.
Finally, the database security officers prepare in the form of a table lists of employees who have gained access to the collection, processing and storage of confidential data about employees and customers. Prevents leakage of classified data upon dismissal of an employee by checking that data about him is blocked or deleted.
And for small companies, an economically viable solution is to sign an agreement with an organization that will prepare and implement a database security program with subsequent outsourcing (transfer to the customer company) of a functioning system for protecting the personal data of employees and customers. This agreement will reduce the costs of training and pay salaries to full-time employees, as well as minimize the risks of confidential information leakage.
Before the conclusion of this agreement, a list of requirements for the implemented information security system is drawn up. It should be taken into account that all systems for protecting confidential data have a special purpose. They are designed to prevent leakage of protected data and ensure their safety and availability. Database protection requirements vary based on the identified threat model.
Individual development of information security programs will require a highly qualified developer and increased responsibility for the functioning and significance of the presented model. At the same time, such personal data protection systems are aimed exclusively at the identified threat model and are inferior in functionality to typical information security systems.
This area is constantly evolving, since government regulation in the field of technical requirements for information security is also changing. Before the advent of the Internet, the main threat was represented by models of foreign technical intelligence services, so the system of protection against them was clearly spelled out in regulations. The protection of personal information of the company's employees is also based on the existing norms, taking into account the specifics of its work.
The solution of problems arising in the field of information security is possible with the interaction of employees collecting and processing personal data, developers of computer programs and information security systems and government agencies.
10.12.2020
