FZ-152 "On the protection of personal data" applies to all existing entities: individuals and legal entities, federal government bodies and local governments. In fact, this law applies to any organization that processes information and personal data of citizens of the Russian Federation, regardless of the form of ownership and size of the organization.
Sometimes an organization, quite unexpectedly for itself, can discover initially implicit information systems of personal data (PD). For example, a company is considered an operator of personal data if its website has feedback forms, registration, authorization and other forms of data collection by which the subject can be identified.
Control and supervision regarding compliance with the requirements of the federal law “On Personal Data” is carried out by regulators:
- Roskomnadzor in terms of protecting the rights of personal data subjects;
- FSB of Russia regarding compliance with requirements in the field of cryptography;
- FSTEC of Russia in terms of compliance with requirements for protecting information from unauthorized access and leakage through technical channels.
Since the Federal Law “On Personal Data” is only the basis for legal support for the protection of personal data, its requirements were subsequently specified in acts of the Government of the Russian Federation and the Ministry of Communications, and other regulatory and methodological documents of regulators.
Federal authorities regulating activities in the field of personal data processing
- Roskomnadzor (Federal Service for Supervision of Communications and Mass Communications) - exercises control and supervision over compliance of PD processing with legal requirements.
- FSTEC of Russia (Federal Service for Technical and Export Control) - establishes methods and means of protecting information using technical means.
- FSB of Russia (Federal Security Service of the Russian Federation) - establishes methods and means of protecting information within its powers (sphere of use of cryptographic means of information protection)
Every organization that processes personal data faces the problem of bringing its information systems into compliance with legal requirements. Personal data protection is one of the most pressing issues, not only in Russia, but also in other countries.
Types of personal data
According to Federal Law No. 152, personal data is any information relating to an individual identified or determined on the basis of such information (subject of personal data). For example: full name, date and place of birth, address, family, social, property status, education, etc.
Personal data is divided into several categories:
Special
Personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life
Biometric
PD, which characterize the physiological and biological characteristics of a person, on the basis of which his identity can be established and which are used by the operator to establish the identity of the subject of personal data
Other
PD relating to a directly or indirectly identified or identifiable individual and not falling into the above categories
Publicly available
PD obtained from publicly available sources in which the data was published with the written consent of the subject of personal data
Processing of personal data is any action (operation) or set of actions with personal data using or without automation tools, including:
- collection,
- recording,
- systematization,
- accumulation,
- storage,
- clarification (update, change),
- extraction,
- usage,
- transmission (distribution, provision, access),
- depersonalization,
- blocking,
- removal,
- destruction of personal data.
Liability for violations
According to Article 24 of Federal Law No. 152, persons are responsible for violating the law in accordance with the legislation of the Russian Federation.
When checking a company, regulators are guided by Federal Law-152 and a number of by-laws. The inspection can be either scheduled or unscheduled - based on facts of violations, as well as to monitor previously issued orders to eliminate them.
Persons who violate the requirements for the protection of personal data may face not only civil and disciplinary, but also administrative and even criminal liability.
How to comply with the requirements of FZ-152?
So, a company or organization that processes personal data or other restricted information must protect this information in accordance with the law. This not only requires serious expertise, knowledge and experience, but is also associated with technical difficulties and considerable costs.
According to the official definition approved by FSTEC, “...Security of personal data is the state of security of personal data, characterized by the ability of users, technical means and information technologies to ensure the confidentiality, integrity and availability of personal data when processed in personal data information systems...”
In order to fulfill the organizational, legal and technical requirements of Federal Law 152, on your own, you need to study not only the law itself, but also its by-laws, and figure out exactly what measures need to be taken. Outsourcing specialists can study the processes of processing personal data in the company, draw up the necessary documents, implement security measures, etc.
A comprehensive information security system includes:
- Intrusion Prevention Tools (IDS).
- Firewall (FW).
- Protection against malware.
- System for monitoring and recording security events.
- System of cryptographic protection of communication channels (encryption).
- Means of protecting the virtual environment, a system of protection against unauthorized access (NSD), identification and access control.
- Security analysis/vulnerability detection system, etc.
In addition, comprehensive information security involves not only technical, but also organizational measures.
Cloud FZ-152: implementation features
A number of Russian providers provide services for the provision of cloud infrastructure for hosting information systems in accordance with the requirements of federal legislation regarding personal data. When the client’s systems are hosted in the cloud, the provider takes on many information security issues, including those related to the protection of personal data. When migrating to the cloud, it will protect the IT infrastructure, and this will remove some of the responsibilities from the client. For example, the provider fulfills the requirements of Federal Law 152 regarding the protection of the virtualization environment.
Providers can also provide customers with expert support in solving the problem of data protection: determining the required level of security and, in accordance with this, offering an implementation option; develop documentation to comply with the requirements of the legislation of the Russian Federation.
A secure cloud will help optimize an organization's costs by reducing the costs of creating and maintaining IT infrastructure and an internal information security system. Typically, qualified experts provide comprehensive technical support and support, including consulting and development of a package of documents for certification by regulatory authorities, and the service delivery platform meets strict technical standards and meets the necessary organizational requirements. Clients can take advantage of services for preparing the necessary documentation and protecting ISPD at the application and operating system level.
Risk and vulnerability management processes, incident investigations, internal and external security audits, as well as regular monitoring and testing of the network, systems and information security processes are also provided. Qualified specialists provide XNUMX/XNUMX IT infrastructure support.
Taken together, these measures ensure compliance with federal laws regarding the protection of personal data.
Certified platform
IBS DataFort provides such a service based on . All technical parts, administration and virtualization tools of this platform comply with the norms and requirements of Federal Law-152.
Architecture of the IBS DataFort secure cloud.
The platform provides guaranteed protection of ISPD (up to the 1st security level inclusive), GIS (up to and including the 1st security class) and secure data storage in the Tier III data center. The platform uses certified firewalls, intrusion detection and prevention tools (IDS/IPS), encryption of communication channels (GOST VPN), anti-virus protection, protection against unauthorized access, protection of the virtualization environment, as well as vulnerability scanning tools.
is also a suitable solution for those who have high requirements for confidentiality and data protection, want to strengthen their business reputation or gain such a competitive advantage as a proven high level of information security.
How to “move” to such a cloud? Is “seamless migration” possible? Quite. For example, IBS DataFort securely transfers the ISPD to its secure cloud, minimizing downtime and the impact on the company’s business processes (including from foreign sites).
Bringing the IT infrastructure into compliance with Federal Law-152
The process of bringing the client’s IT infrastructure into compliance with the requirements of Federal Law-152 begins with an audit and assessment of the current level of security.
An audit of the client’s IT infrastructure includes an examination of the processing and protection of personal data and an examination of the customer’s information system. A survey report is drawn up with a detailed description of the PD processing processes from a technical point of view.
The work also includes modeling threats and intruders and drawing up a report on determining the level of security for the ISPD. Based on the results of the audit, a private specification for the ISPD protection system is drawn up and defines the requirements for the designed system.
A set of policies, instructions, regulations and other documents for the protection of personal data is being developed. At the same time, specialists try to optimize the customer’s costs for implementing security measures.
IBS DataFort provides services for preparing documentation and protecting ISPD to comply with federal legislation on the protection of personal data and can help in preparing and passing certification (ISPD, GIS, AS).
Certification is carried out by independent auditors licensed by FSTEC and the FSB of Russia. Passing such certification confirms the reliable protection of the personal data of the company’s partners and clients from external threats, and comprehensive compliance with regulatory requirements. It is important that clients receive the convenience of a “one-stop shop”: everything is provided by one company - IBS DataFort.
For the personal data operator, this means readiness for inspections by Roskomnadzor, FSTEC and the FSB, eliminating the risk of blocking resources, and the absence of claims and sanctions from the regulator.
This service is relevant for many categories of customers in the government and corporate segment and may be in demand by personal data operators who want to bring their activities into compliance with the law. Placing the IP in a closed segment of the provider’s infrastructure, certified according to all necessary standards and requirements, relieves the customer from the need to independently organize all work.
Source: habr.com