Personal data security means
In the survey, the protection of information rights of a person and his personal data has been on the agenda for several years. Threat models are changing, the technical and informational means used are changing. Government documents not only try to keep up with the changing reality, but also provide operators with the opportunity to independently choose the means to protect personal data.
Regulatory and legal documentation
The system for ensuring the confidentiality of personal data is regulated by the Federal Law "On Personal Data", Government Decree No. 1119, and the recommendations of the FSTEC of Russia. The law describes the main terms and definitions, establishes the rights and obligations of the operator, including in the field of choosing the means of ensuring personal data, the responsibility of operators. The Government decree determines by what criteria personal data information systems relate to different levels of security. FSTEC of Russia Order No. 21 names 15 specific groups of technical measures used to ensure security. In each group, the means that the operator is entitled to use are determined.
Classification of personal data protection systems
Personal data information systems are subdivided according to security levels - from low to maximum. This ranking depends on the number of people whose data is being processed and on the characteristics of the data. According to the ranks, data security systems are divided by operators into two groups:
- typical;
- special.
The first group includes systems whose task is only to ensure the confidentiality and security of data. The concept of confidentiality implies compliance with two parameters:
- data processing is permissible only by the forces of persons specially authorized for this by the internal documentation of the operator organization;
- data transmission is carried out only if it is encrypted.
For special data security systems, in addition to confidentiality characteristics, it is required to provide additional protection measures, at least one of the list. These include:
- integrity. This term implies that any changes to the data are made only in a regulated manner, for example, only the attending physician has the right to make changes to the patient's outpatient card. Also, the integrity is ensured by the transmission of data over telecommunication networks only using an electronic signature;
- availability. The concept assumes that the system is used only by certain users and within a certain time frame.
Special systems that require the use of special means of ensuring data security include two groups:
- processing data related to human health;
- processing personal data in such a way that the result of the work becomes the basis for making legally significant decisions.
Also, systems for protecting confidential data can be divided into autonomous, without direct connection to telecommunication networks, and having such connections that require increased care about ensuring the security of information.
Choice of technical means of personal data protection
The choice of automation tools used to ensure security in the processing of personal data ultimately depends on the following parameters:
- the level of security of the personal data information system required by the Government Decree;
- financial and organizational capabilities of operators;
- technical solutions used to ensure safety;
- the presence or absence of a FSTEC license.
Based on these parameters, the operator can add proactive ones to the basic means of protecting the security of personal data, in order to achieve the security level by the system that is relevant to the current threats to subjects of personal data and their information rights.
Thus, the operator must ensure the availability of technical means that are capable of:
- identify and authenticate users, establish individual levels of access to certain categories of personal data;
- control the output of data from the system, for example, transmission by mail or in a messenger, transfer to removable media. DLP systems and SIEM systems can solve this problem. In addition, it is necessary to ensure the encryption of information transmitted through standard communication channels or located directly in information databases using cryptographic protection means;
- ensure the maximum possible protection of information databases of personal data connected to telecommunication networks from external attacks. This requires the installation of anti-virus protection, other methods of protection against hacker and other attacks, the use of electronic signatures, encryption of outgoing traffic using keys and certificates generated by the user and registered with certification authorities;
- to register all user actions in the system, which increases the level of both the security of personal data, and the motivation of employees to ensure it.
Hardware and software products must be attested and certified by the FSTEC of Russia in a class not lower than AK2 according to the classification of the FSB of the Russian Federation. For example, the operating system corresponding to this class is Windows XP with the Secure Pack Rus. For special systems, all requirements of this security class must be met. Additionally, certification of the FSTEC RF of the premises in which the computers are located will be required. Every three years, it is necessary to check the compliance of the tools used with the current requirements.
The choice of means of ensuring the security of personal data, and their very security, depend on the experience and technical training of the operator. If in doubt about your competence, it is better to seek professional services.
10.12.2020
