Technical protection of personal data
The majority of companies in the country are the personal data operators, as handle large amounts of information directly related to the identity of citizens, which they receive in the course of their fundamentals statutory tasks. Existing threat models require technical means of protecting data from leaks, unauthorized access and use, and loss during transmission over communication channels that are adequate to the level of threats. The list of such measures is established by the regulations of the FSTEC of Russia. The same department, together with the FSB of the Russian Federation, controls the legality of their choice and the correctness of their application. The FSTEC requirements are mandatory, otherwise the organization may lose the right to process personal data.
Why do you need technical protection of personal data
By its legal nature, personal data is classified as confidential, legally protected information. The Federal Law "On Personal Data" classifies them as any information that is directly related to a particular person. After it is entrusted to the operator-companies that process it, the information transferred by individuals, subject to the consent to their processing by certain methods and for certain purposes, receives a protected status. Unlike trade secrets, personal data protection methods are established by the state. The list of specific technical means is determined by the FSTEC of Russia in Order No. 21. Recommendations introduce 15 groups of technical measures, each group contains basic, mandatory measures and recommended measures that the operator can use at his own discretion, comparing with the current model of security threats personal data.
Stages of creating a personal data protection system
Before sending a notification about the start of activities related to the protection of personal data, the operator must ensure that his information system meets the established requirements and the choice of technical means. The implementation process is divided into several sequential stages, their number depends on the chosen protection method, which, in turn, depends on the type of information, the security class, determined by the parameters established by the Decree of the Government of the Russian Federation No. 1119, the presence or absence of the system connection to telecommunication channels ...
Primary organizational measures
Before proceeding to the implementation of the system of technical measures for the protection of personal data, it is necessary to carry out some organizational measures related to the classification of threats and the assessment of the available technical means. This will be required to assess the need to install and select antivirus and cryptographic protection tools.
As part of this analysis, it is established:
- a list of personal data at the disposal of the organization and the required degree of their protection. Enhanced will be required when processing data constituting a medical secret, and those information on the basis of which decisions with legal consequences will be made;
- the purposes of data processing. This can be the collection of personnel information, the provision of processing services, information transfer services;
- terms of work with data. The law states that they are limited. It is necessary to determine the amount of data that must be destroyed, the timing, means and procedure for such destruction.
After determining the object of technical protection, it is necessary to move on to determining the technical means necessary to ensure the protection of personal data.
Personal data processing methods
In practice, at the first stage, personal data is processed manually, and the operator is only required to physically protect material carriers, for which such means as a pass system and equipment of premises are used according to a certain security class, and only at the next stage they are sent to automated information systems. Within the framework of manual and technical processing methods, several separate methods are distinguished; during automated processing, it is necessary to determine those elements of the system configuration in which processing occurs. This can be a personnel and accounting module, a module for working with clients.
Determination of the characteristics of technical systems
The next stage of work to ensure the technical protection of personal data is to determine the main characteristics of automated processing systems, their configuration, the need for generating an electronic signature, installing certified anti-virus or cryptographic protection. Next, the system is classified according to the quality of the data. There are such groups as:
- category 1. This is information concerning health, personal life, political views;
- category 2. Any data that allows you to identify a person and get additional information about him in the future;
- category 3. Information that only allows you to identify the subject of personal data;
- category 4. Anonymized data.
When processing data of the 1st category, the automated system in which personal data is stored must be equipped with technical means of protection as a special one; for the rest, the basic model will be sufficient. In addition to the category of data, the parameters of the system are affected by the number of people whose information is processed. Based on this, four levels of system security are established - from maximum to low.
Assessment of system compliance with the requirements of FSTEC of Russia
After determining the data class and the requirements for the system, it is necessary to establish exactly what requirements FSTEC of Russia makes in order to assess the compliance of the technical means used to ensure the security of personal data with its requirements. They look like this:
- if the system belongs to the 1st or 2nd class, then its compliance with the requirements for the level of security is confirmed by mandatory certification (in a number of normative documents this procedure is called certification). It is hosted by FSTEC of Russia;
- if the system belongs to the 3rd class, then the operator will be required to declare the compliance of its parameters with the requirements;
- for systems of the 4th class, the choice of the method of protection and the technical means used remains at the discretion of the operator.
After it has been determined what parameters the system should meet and what technical means are needed for its performance and proper protection of personal data, the construction of its configuration begins. The operator evaluates the correctness of the applied solutions once every three years, and the FSTEC of the Russian Federation can also monitor the compliance of the system with the requirements within the framework of documentary or field inspections.
Installation of technical means of protection
After the parameters of the system are determined, the selection of the necessary software and hardware tools corresponding to the declared safety class begins. When choosing basic and compensating means, it is necessary to strike a balance between the level of security and financial viability. Sometimes a specialized organization is the right decision for this assessment.
The quality of the funds, the requirements for their certification are determined in accordance with the regulatory documents of the FSTEC of the Russian Federation. All technical means are divided into two groups:
- protecting personal data and other confidential information from unauthorized access. These include means of antivirus and cryptographic protection, firewalls, means for blocking information input-output devices, systems that limit the ability to output information from the protected perimeter;
- information security tools responsible for excluding information leaks through technical communication channels. These are noise generators, shielded cables that exclude the interception of electromagnetic radiation, high-frequency filters on the communication line.
When engaging a specialized organization to create a technical system for protecting personal data, it is necessary to verify that it has the appropriate licenses, as well as that all the tools used are certified in the prescribed manner.
The choice of technical means of protection should be determined by the security class of the system, whether it belongs to the category of conventional or special, its own capabilities.