Personal data protection systems
The concept of protection of information human rights existing in the modern world is reflected in the national legislation on the protection of personal data. Numerous standards and norms have been developed to ensure their proper protection, but each company that systematically works with large amounts of information is obliged to create its own information security system. This will avoid information leaks, reputation losses, customer claims and fines from regulatory authorities.
The personal data protection system is designed to ensure the protection of the information at the disposal of the organization, relating to specific individuals. This is not only personal data, but also information about health, financial condition. This data is an information asset that can be attacked by a variety of actors. Among the main security threats:
- competitors of a particular company wishing to harm it;
- international cyberterrorist organizations interested in personal data leaks in order to ensure their own PR;
- insiders, company employees, guided by their own goals or acting on someone else's instructions.
In most cases, leaks are internal in nature, the most common risk is the provision of personal data of other persons by an employee to his acquaintance at his request outside of professional relations. Judicial practice shows that sometimes a leak of personal data of one person can cause more reputational and financial harm than an accidental loss of a large amount of data caused by imperfection of software and communication channels. All this leads to the need to develop our own information system for protecting personal data.
What is a personal data protection system
Basic requirements for such systems are established by Decree of the Government of the Russian Federation No. 1119. It establishes the parameters of the systems themselves and determines the necessary means and methods to ensure the security of personal information placed in information databases. After studying this resolution, it becomes clear that personal data protection systems (PDS) are characterized by the following parameters:
- represent a set of measures and activities, both organizational and technical in nature;
- this aggregate is designed to prevent illegal access to personal data;
- the system should be designed taking into account the relevance of current threats;
- it is developed by operators of personal data, taking into account the level of their tasks and the degree of responsibility.
In the law, a personal data operator is understood as a legal entity or an entrepreneur who, in the course of solving their statutory tasks, receives at their disposal information relating to a particular person. Only employers who do not have at their disposal any data other than personnel records are not considered operators and do not bear the corresponding obligations. If a person is obliged to take measures to protect this information, he will have to create his own information security system, taking into account the level of his responsibility, which depends on the characteristics of the information entrusted to him. The security system must simultaneously:
- be effective;
- do not interfere with normal work processes.
According to the requirements of regulatory legal acts, several levels of security are allocated for the company's data protection systems, which determine the use of certain protection means. There are four of them:
In order to simplify the indication of the levels in the technical documentation, they are marked with letters "Y" with a number indicating the protection class: 1 - the highest, 4 - the lowest. For each operator, the requirements set its own level of protection. His choice is determined based on the following characteristics:
- the number of subjects whose data are subject to processing;
- class and degree of value of the processed information;
- the types of processing used, selected from the list established by law;
- relevance and type of threats.
Taking these parameters into account helps to develop an effective system of measures that can cope with threats to the safety of data at all expected levels. In choosing a class of funds, you can navigate by studying paragraphs 4-16 of Government Decree No. 1119. The operator develops a personal data security system and chooses measures and means either independently or by engaging a specialized organization. Such a company must have a license that allows it to develop and implement the PDS. When building relationships with such an organization, special attention should be paid to documenting the delivery of all elements of the personal data protection system, the availability of both operational and financial documentation. Both of these points can become the object of an audit conducted by Roskomnadzor or FSTEC.
In addition to technical means, the protection system involves the implementation of certain measures and measures aimed at ensuring the proper security of personal data, due to the requirements of regulatory enactments. The measures are both technical and organizational. An event is a set of measures that the data holder is obliged to take to ensure their safety from:
This group of actions is usually not difficult for the operator and does not have strict regulatory requirements. It does not require the involvement of licensed professionals. Among the mandatory measures to ensure data security are:
- sending a message to Roskomnadzor about the start of employment in a relevant type of entrepreneurial activity involving the processing of personal data. The message is filled out in the form on the department's website and sent by mail;
- development of local regulations that mediate data transfer. These documents include the Regulation on the protection of personal data, an order on the appointment of a person responsible for this activity. You can prepare them yourself. The documents are approved by the head of the organization, there are no requirements for their registration with government departments;
- development and implementation of a mode of passage to an object on which arrays of information containing personal data are located. When issuing passes, one should not forget that even providing a photo requires signing a consent to data processing, as the court practice says;
- development of agreements with third parties, according to which they are entrusted with the processing of data with the introduction of measures of responsibility and rules on compensation for possible damage;
- determination of the current threat model taking into account the analysis of external and internal factors;
- ranking persons with different degrees of access to confidential data, signing agreements with them on the observance of commercial secrets;
- development of an internal control system that allows you to see all the moments of violation of the confidentiality regime and, in cooperation with the security service, promptly suppress them.
The company cannot always develop this system independently, by the efforts of the IT department. Compliance with the requirements for the protection of personal data involves the development, installation and maintenance of complex software systems that solve the following tasks:
- to avoid unauthorized access to data both by external intruders and by insiders. For this, firewalls, various access control systems are used, cryptographic and blocking means are used;
- prevent data leakage through technical channels, for example, in the form of electromagnetic radiation or sound information. For this, noise generators, shielded cables, high-frequency filters are used.
The company chooses all the necessary means of protecting personal data from leakage on its own, there are requirements for their capabilities and certification, and not for specific names or types of software products. The company also bears the costs of purchasing data protection tools independently.
How to develop your own security system
The task of developing your own data security system should be solved step by step. Any project management method offers several sequential steps to introduce a new type of work. It:
- analysis of results;
- revision taking into account the identified shortcomings.
By the same principle, a data protection system should be developed and installed. Thus, the following steps are highlighted:
- the publication of an internal administrative document, which informs the staff of the decision to start work on the construction of the SZPD. The document indicates a set of measures and the person responsible for the execution of the order;
- survey of information systems that contain personal data. During diagnostics, you must set the category of protected data. The result of the survey is a report, which should contain a threat model, a description of the system, a characteristic of the level of its security;
- organizational measures - sending a notification to Roskomnadzor and developing a package of internal local regulations on data protection;
- creation of documents dedicated to information security and highlighting the issues of admission, degrees of confidentiality, commercial secrets, the use of keys and passwords, physical admission to workplaces related to the processing of personal data;
- determination of the list of technical measures. After identifying the main security threats, finding out the need to use cryptographic methods of data protection;
- purchase of certified data protection tools, their customization;
- publication of documentation on working with data - a new structure of the organization, a data log, the format of acts of destruction of information carriers.
All this complex of actions should take place under the control of the head of the organization. In this case, the creation of a system for ensuring the security of personal data will be successful and will not require modifications and alterations.