Personal data protection system certification
By the personal data (PD) includes information on individuals, which are stored in the databases of virtually all companies and businesses are transferred to other legal entities and individuals. To prevent this confidential information from falling into the wrong hands, security systems are organized for personal data. The final phase of building such systems is their certification, which should certify the compliance of these systems with legal requirements.
To preserve the privacy of citizens' personal lives, on July 27, 2006, legislative act No. 152-FZ "On Personal Data" was adopted. The reason for its appearance, among other things, was the leaks on the Internet and the sale of information bases with personal data of citizens from both state and commercial institutions.
State institutions that work with personal data of citizens undergo certification of personal data protection systems without fail. Informsystems are checked for compliance with the requirements of legal norms, as well as Order No. 21 issued by the Federal Service for Technical and Export Control (FSTEC) of the Russian Federation of 18.02.13.
Certification is carried out for each workplace by specialized companies that provide services on the basis of a FSTEC license for this type of activity.
How is certification and its objectives
- Analysis of available documentary materials on information security.
- Certification research plan, agreed with the heads of the institution.
- Viewing the technological chain for processing, storing and protecting information.
- Survey of server stations and work terminals for protection against unauthorized intrusion.
- Checking virus protection programs.
- Firewall testing.
- Additionally, studies of the possibilities of reading information from data transmission channels can be carried out.
- Drawing up a test report.
- Formation of a conclusion on the results of attestation studies on the sufficiency of measures necessary to protect personal data from unauthorized access to them.
- Additionally, a protocol can be drawn up on the proper security of information transmission channels.
- Based on the results of attestation studies, a Certificate of Compliance with the necessary safety requirements is issued and issued, or it is ordered to eliminate the existing deficiencies.
- The certificate is valid for three years, and then re-certification is done.
If the equipment is replaced or new ways of working with information are introduced, an extraordinary certification of protection systems is carried out.