Hi all! I manage the DataLine cyber defense center. Customers come to us with the task of meeting the requirements of 152-FZ in the cloud or on a physical infrastructure.
In almost every project, educational work has to be carried out to debunk the myths around this law. I have collected the most common misconceptions that can cost the budget and nervous system of a personal data operator dearly. Iβll make a reservation right away that cases of state offices (GIS) dealing with state secrets, CII, etc. will remain outside the scope of this article.
Myth 1. I installed an antivirus, a firewall, fenced the racks. Am I following the law?
152-FZ is not about protecting systems and servers, but about protecting personal data of subjects. Therefore, compliance with 152-FZ does not begin with an antivirus, but with a large number of pieces of paper and organizational issues.
The chief inspector, Roskomnadzor, will look not at the availability and condition of technical means of protection, but at the legal grounds for the processing of personal data (PD):
- for what purpose you collect personal data;
- are you collecting more than you need for your purposes;
- how long you keep personal data;
- whether there is a policy for the processing of personal data;
- whether you collect consent to the processing of personal data, to cross-border transfer, to processing by third parties, etc.
The answers to these questions, as well as the processes themselves, should be recorded in the relevant documents. Here is a far from complete list of what a personal data operator needs to prepare:
- Standard form of consent to the processing of personal data (these are the sheets that we now sign almost everywhere where we leave our full name, passport data).
- The operator's policy regarding the processing of personal data ( There are design guidelines.)
- Order on the appointment of a person responsible for organizing the processing of personal data.
- Job description of the person responsible for organizing the processing of PD.
- Rules for internal control and (or) audit of compliance of PD processing with legal requirements.
- List of personal data information systems (ISPD).
- Regulations for granting access of the subject to his PD.
- Incident Investigation Regulations.
- Order on the admission of employees to the processing of personal data.
- Rules of interaction with regulators.
- RKN notification, etc.
- PD processing order form.
- ISPD Threat Model.
After these issues are resolved, it is possible to proceed to the selection of specific measures and technical means. Which ones you need depends on the systems, their operating conditions and current threats. But more on that later.
Reality: compliance with the law is the establishment and observance of certain processes, first of all, and only in the second - the use of special technical means.
Myth 2. I store personal data in the cloud, a data center that meets the requirements of 152-FZ. Now they are responsible for enforcing the law
When you outsource the storage of personal data to a cloud provider or data center, you do not cease to be the operator of personal data.
Let's call on the definition from the law:
Processing of personal data - any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Source: article 3,
Of all these actions, the service provider is responsible for the storage and destruction of personal data (when the client terminates the contract with him). Everything else is provided by the personal data operator. This means that the operator, and not the service provider, determines the personal data processing policy, obtains signed consents from its customers for the processing of personal data, prevents and investigates cases of leakage of personal data to the side, and so on.
Therefore, the personal data operator must still collect the documents listed above and take organizational and technical measures to protect their ISPDs.
Typically, the provider helps the operator by ensuring compliance with the requirements of the law at the infrastructure level where the operator's ISPD will be located: racks with equipment or a cloud. He also collects a package of documents, takes organizational and technical measures for his piece of infrastructure in accordance with 152-FZ.
Some providers help with paperwork and provide technical protection for the ISPDs themselves, that is, a level above the infrastructure. The operator can also outsource these tasks, but the responsibility and obligations under the law do not disappear anywhere.
Reality: when using the services of a provider or data center, you cannot transfer to him the duties of a personal data operator and get rid of responsibility. If the provider promises you this, then he, to put it mildly, is disingenuous.
Myth 3. I have the necessary package of documents and measures. I store personal data with a provider who promises compliance with 152-FZ. All in openwork?
Yes, if you remember to sign the order. By law, the operator may entrust the processing of personal data to another person, for example, the same service provider. An order is a kind of contract that lists what the service provider can do with the personal data of the operator.
The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by the Federal Law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adopting a relevant act by a state or municipal body (hereinafter referred to as the instruction operator). A person who processes personal data on behalf of the operator is obliged to comply with the principles and rules for the processing of personal data provided for by this Federal Law.
Source:
The obligation of the provider to maintain the confidentiality of personal data and ensure their security in accordance with the specified requirements is immediately fixed:
The operator's instruction must define a list of actions (operations) with personal data that will be performed by the person processing personal data and the purposes of processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as the requirements for the protection of processed personal data in accordance with of this federal law.
Source:
For this, the provider is responsible to the operator, and not to the subject of personal data:
If the operator entrusts the processing of personal data to another person, the operator shall be liable to the subject of personal data for the actions of the said person. The person who processes personal data on behalf of the operator is liable to the operator.
Source: .
It is also important to prescribe the obligation to ensure the protection of personal data in the order:
The security of personal data during their processing in the information system is ensured by the operator of this system who processes personal data (hereinafter referred to as the operator), or the person who processes personal data on behalf of the operator on the basis of an agreement concluded with this person (hereinafter referred to as the authorized person). The agreement between the operator and the authorized person must provide for the obligation of the authorized person to ensure the security of personal data during their processing in the information system.
Source:
Reality: if you give personal data to the provider, then sign the order. In the order, indicate the requirement to ensure the protection of the subjects' personal data. Otherwise, you do not comply with the law in terms of transferring the processing of personal data to a third party, and the provider is not obliged to you in terms of compliance with 152-FZ.
Myth 4. The Mossad is spying on me, or I certainly have an UZ-1
Some customers persistently prove that they have ISPDs of security level 1 or 2. Most often this is not the case. Recall the materiel to understand why this happens.
The SV, or security level, determines what you will protect personal data from.
The following points affect the level of security:
- type of personal data (special, biometric, public and others);
- who owns the personal data - employees or non-employees of the personal data operator;
- the number of personal data subjects is more or less than 100 thousand.
- types of current threats.
Tells us about the types of threats . Here is a description of each with my free translation into human language.
Threats of the 1st type are relevant for an information system if, among other things, the threats associated with the presence of undocumented (undeclared) capabilities in the system software used in the information system are relevant for it.
If you recognize this type of threat as relevant, then you firmly believe that CIA, MI6 or MOSSAD agents have placed a bookmark in the operating system in order to steal personal data of specific subjects from your ISPD.
Threats of the 2nd type are relevant for an information system if, among other things, it is subject to threats related to the presence of undocumented (undeclared) capabilities in the application software used in the information system.
If you think that threats of the second type are your case, then you sleep and see how the same agents of the CIA, MI6, MOSSAD, an evil lone hacker or a group placed bookmarks in some office software package in order to hunt specifically for your personal data. Yes, there is dubious application software like ΞΌTorrent, but you can make a list of allowed software for installation and sign an agreement with users, not give users local administrator rights, etc.
Threats of the 3rd type are relevant for an information system if threats are relevant for it that are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system.
Threats of types 1 and 2 are not suitable for you, so you are here.
We figured out the types of threats, now we are looking at what level of security our ISPD will have.
Table based on the correspondences prescribed in .
If we chose the third type of actual threats, then in most cases we will have UZ-3. The only exception, when threats of types 1 and 2 are not relevant, but the level of protection will still be high (UZ-2), are companies that process special personal data of non-employees in the amount of more than 100. For example, companies engaged in medical diagnostics and providing medical services.
There is also UZ-4, and it is found mainly in companies whose business is not related to the processing of personal data of non-employees, i.e. customers or contractors, or personal data bases are small.
Why is it so important not to overdo it with the level of security? It's simple: a set of measures and means of protection will depend on this to ensure this very level of security. The higher the KM, the more organizational and technical things will have to be done (read: the more money and nerves will have to be spent).
Here, for example, is how the set of security measures is changing in accordance with the same PP-1119.
Now let's see how, depending on the chosen level of security, the list of necessary measures changes in accordance with There is a lengthy annex to this document, which defines the necessary measures. There are 109 of them in total, for each UZ mandatory measures are defined and marked with a β+β sign - they are just calculated in the table below. If you leave only those that are needed for UZ-3, you get 4.
Reality: if you do not collect analyzes or biometrics of clients, you are not paranoid and afraid of bookmarks in system and application software, then most likely you have UZ-3. It provides for a sane list of organizational and technical measures that can actually be implemented.
Myth 5. All means of protection (IPS) of personal data must be certified by the FSTEC of Russia
If you want or are required to certify, then you will most likely need to use certified protective equipment. Certification will be carried out by the licensee of the FSTEC of Russia, who:
- interested in selling more certified information security;
- will be afraid of revocation of the license by the regulator if something goes wrong.
If you do not need certification and you are ready to confirm the fulfillment of the requirements in another way, named in βEvaluation of the effectiveness of measures implemented within the framework of the personal data protection system to ensure the security of personal dataβ, then certified information security facilities are not mandatory for you. I'll try to give a short explanation.
Π states that it is necessary to use protective equipment that has passed the conformity assessment procedure in the prescribed manner:
Ensuring the security of personal data is achieved, in particular:
[β¦] 3) the use of information security tools that have passed the conformity assessment procedure in the prescribed manner.
Π there is also a requirement to use information security tools that have passed the procedure for assessing compliance with legal requirements:
[β¦] the use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such tools is necessary to neutralize current threats.
practically duplicates paragraph PP-1119:
Measures to ensure the security of personal data are implemented, among other things, through the use of information protection tools in the information system that have passed the conformity assessment procedure in the prescribed manner, in cases where the use of such tools is necessary to neutralize actual threats to the security of personal data.
What do these expressions have in common? That's right - they do not require the use of certified protective equipment. The fact is that there are several forms of conformity assessment (voluntary or mandatory certification, declaration of conformity). Certification is just one of them. The operator may use non-certified products, but will need to demonstrate to the regulator when checking that they have passed some form of conformity assessment procedure.
If the operator decides to use certified means of protection, then it is necessary to choose the information protection system in accordance with the KM, which is clearly indicated in :
Technical measures for the protection of personal data are implemented through the use of information security tools, including software (software and hardware) tools in which they are implemented, having the necessary security functions.
When using information security tools certified in accordance with information security requirements in information systems:
Reality: The law does not require the mandatory use of certified protective equipment.
Myth 6. I need crypto protection
Here are a few nuances:
- Many believe that cryptography is mandatory for any ISPD. In fact, they should be used only if the operator sees no other protection measures for himself, except for the use of cryptography.
- If there is no way without cryptography, then you need to use CIPF certified by the FSB.
- For example, you decide to place ISPD in the service provider's cloud, but you do not trust it. You describe your concerns in the threat and perpetrator model. You have personal data, so you decided that cryptography is the only way to protect: you will encrypt virtual machines, build secure channels through cryptoprotection. In this case, you will have to use CIPF certified by the FSB of Russia.
- Certified cryptographic information protection tools are selected in accordance with a certain level of security according to .
For ISPD with UZ-3, you can use KS1, KS2, KS3. KS1 is, for example, C-Terra Virtual Gateway 4.2 for channel protection.
KC2, KS3 are represented only by software and hardware systems, such as: ViPNet Coordinator, APKSH "Continent", S-Terra Gateway, etc.
If you have UZ-2 or 1, then you will need means of cryptoprotection of class KV1, 2 and KA. These are specific software and hardware systems, they are difficult to operate, and their performance characteristics are modest.
Reality: the law does not oblige the use of CIPF certified by the FSB.
Source: habr.com