July 28, 2014 at 10:29The tale of a white bull or how to remain invisible behind glass
Humanity in its development goes further and further - much of what seemed like science fiction 100 years ago has already become a reality. If under Ivan the Terrible it was enough to ask: "Who are you from, how old are you, are you married or not?" - then modern boyars no longer answer such questions to everyone they come across, they called such information about themselves "personal data", and for disclosure if if they don’t put them on a stake, they can put them in prison.
It is difficult to imagine a company that does not have any personal data, which include:
phone books, statements of financial statements, lists of employees, etc. All data is classified by confidentiality. If a company provides data on employees to the Pension Fund, it means it automatically has the highest category data - this includes salary statements with the name, information about the employee’s social status, disability, marital status, number of children, etc.
Everyone has the right to privacy regulated by the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data", which was approved in 1981 by the European Commission in Strasbourg (Law on ratification of the Convention in Russia No. 160-ФЗ). However, automated data processing - maintaining databases, registries - are the realities of today. Anyone who owns and stores personal data becomes the data operator. The status of a data operator for a legal entity means that there is a certain degree of responsibility regulated by laws and by-laws. First of all, by the law 152-ФЗ, as well as by-laws of departments - the Ministry of Communications and Mass Media, Roskomnadzor, FSTEC, the FSB.
All data operators are entered into the register of Roskomnadzor (pd.rsoc.ru), on the website you can find out the date of the audit planned by the department.
The state has long been puzzled by the problem of information in a single system of all personal data about a person, including linking to bank accounts. Now, for example, our state is actively lobbying for a project to create a universal electronic card - an electronic digital document with personal data of the owner, including the possibility of storing money on it.
The provision that our data is closed to access is very conditional. So, according to the Interfax agency, with reference to statistics obtained from InfoWatch, the number of personal data leaks in our country only doubled in 2013 and amounted to 109 cases. That is, in fact, the data of 109 companies simply sailed away to the boundless distance of the Internet, having compromised 3 million records.
Often the blame for the loss of personal data lies with the heads of departments responsible for data storage. From Interfax statistics: in 5 out of 10 cases, data loss occurred via the Internet.
Starting this year, the Ministry of Communications wants to tighten sanctions for violating the rules for processing personal data. Now the appearance of personal data of citizens in the public domain will cost data operators 300 thousand rubles, for comparison, the previous fine was 10 thousand rubles.
Fines for processing special categories of personal data on political beliefs, medical information, and criminal records are increased.
The task of the legal entity - the data operator - when creating the information storage system is to take the first step - organizational, to ensure document management - to create the necessary documents that allow data processing. The second step is to provide the necessary IT system architecture. The most important measures to prevent data loss are, of course, technical measures, which involve the use of certified information protection tools.
How complex the software architecture will be depends on the degree of data privacy.
There are four categories of personal data, with increasing confidentiality from K4 to K1:
K4 - anonymized data. The operator of category K4 data has the right to choose technological solutions on their own, the availability of a FSTEC certificate is not necessary.
K1 - data that must not only be protected, but also encrypted. The software must be certified by the FSTEC, cryptography systems (if any) are approved by the FSB.
So if for data protection of the lowest category - K4 - it is enough to ensure only data integrity, then for data of category K1 - a full range of data protection (often, including encryption and anti-data leakage).
An exhaustive list of software functions required by the database operator is as follows:
1. Protection against unauthorized access
2.
Anti- virus 3. Firewall
4. Cryptographic tools (for large companies where data leakage is possible)
and other protective mechanisms (you can see the guidance document FSTEC “Basic measures for the organization and technical security of personal data processed in personal data information systems”).
All computers in the network from which personal data is being worked on must be certified and contain software certified by the FSTEC (Federal Service for Technical and Export Control), and the network itself must be protected by a certified firewall.
Small firms, as a rule, use non-certified software, with which the firewall works without the FSTEC certificate (Traffic Inspector Gold).
Firewalls.The entire corporate network and each individual workplace should be protected not only from mass attacks with viruses, but also from targeted network attacks. To do this, it is enough to put a system for blocking unused network protocols and services, which makes the firewall. Often to the functionality of the firewalls are added and the means of organizing virtual private networks - VPN.
For a larger company, in order to reduce the cost of certification and the purchase of certified software, all work with personal data is usually transferred to a separate network and closed with a firewall ( Traffic Inspector FSTEC) - a system for blocking unused network protocols and services. The firewall protects each individual workstation and the corporate network as a whole not only from mass attacks with viruses, but also from targeted network attacks. To the functionality of the firewall added means of organizing virtual private networks - VPN.
The Traffic Inspector provides access to the Network both through a proxy server and through NAT (“transformation of network processes”). The advantages of sharing NAT and a proxy server are obvious: NAT is a universal way to provide Internet access, it also allows anonymizing traffic; proxy server - passes web requests through itself, protecting the system from unwanted information.
Software that allows you to configure an IT architecture that can protect a system with personal data includes: providing access to the Network; firewall and antivirus, checking the checksums of IP packets, the length of IP packets, filtering “broken” packets.
Any software installed in the company must be appropriately approved in the special documentation:
1. List of personal data protection means
2. Journal of accounting and storage of personal data
media 3. Installation of information protection means
4. The approved form of the act of writing off and destruction of electronic media Information
5. The approved form of the act of destruction of documents
6. Signed agreements on non-disclosure of personal data with third parties (organizations) or corresponding reservations in contracts and agreements (especially in the case of cross-border data transfer).
If the organization is changing software or hardware, then information about this in these documents must be displayed.
To summarize.A legal entity that operates with personal data (anonymized) or client data automatically becomes a data operator. Now in any organization there is a risk of violations in the processing and storage of personal data both when storing data on paper or electronic media, or in automated processing. The measures taken by a legal entity to ensure the security of personal data during their processing in information systems are evaluated during state control. Therefore, firstly, determine what class of data you are operating with (if you transfer information to the PF, then high class K1). Second, provide your system with a certified firewall. Thirdly, look at the sites of Roskomnadzor and FSTEC of Russia, where lists of scheduled inspections for compliance with the requirements of Federal Law 152 are published.
It is difficult to imagine a company that does not have any personal data, which include:
phone books, statements of financial statements, lists of employees, etc. All data is classified by confidentiality. If a company provides data on employees to the Pension Fund, it means it automatically has the highest category data - this includes salary statements with the name, information about the employee’s social status, disability, marital status, number of children, etc.
Everyone has the right to privacy regulated by the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data", which was approved in 1981 by the European Commission in Strasbourg (Law on ratification of the Convention in Russia No. 160-ФЗ). However, automated data processing - maintaining databases, registries - are the realities of today. Anyone who owns and stores personal data becomes the data operator. The status of a data operator for a legal entity means that there is a certain degree of responsibility regulated by laws and by-laws. First of all, by the law 152-ФЗ, as well as by-laws of departments - the Ministry of Communications and Mass Media, Roskomnadzor, FSTEC, the FSB.
All data operators are entered into the register of Roskomnadzor (pd.rsoc.ru), on the website you can find out the date of the audit planned by the department.
The state has long been puzzled by the problem of information in a single system of all personal data about a person, including linking to bank accounts. Now, for example, our state is actively lobbying for a project to create a universal electronic card - an electronic digital document with personal data of the owner, including the possibility of storing money on it.
The provision that our data is closed to access is very conditional. So, according to the Interfax agency, with reference to statistics obtained from InfoWatch, the number of personal data leaks in our country only doubled in 2013 and amounted to 109 cases. That is, in fact, the data of 109 companies simply sailed away to the boundless distance of the Internet, having compromised 3 million records.
Often the blame for the loss of personal data lies with the heads of departments responsible for data storage. From Interfax statistics: in 5 out of 10 cases, data loss occurred via the Internet.
Starting this year, the Ministry of Communications wants to tighten sanctions for violating the rules for processing personal data. Now the appearance of personal data of citizens in the public domain will cost data operators 300 thousand rubles, for comparison, the previous fine was 10 thousand rubles.
Fines for processing special categories of personal data on political beliefs, medical information, and criminal records are increased.
The task of the legal entity - the data operator - when creating the information storage system is to take the first step - organizational, to ensure document management - to create the necessary documents that allow data processing. The second step is to provide the necessary IT system architecture. The most important measures to prevent data loss are, of course, technical measures, which involve the use of certified information protection tools.
How complex the software architecture will be depends on the degree of data privacy.
There are four categories of personal data, with increasing confidentiality from K4 to K1:
K4 - anonymized data. The operator of category K4 data has the right to choose technological solutions on their own, the availability of a FSTEC certificate is not necessary.
K1 - data that must not only be protected, but also encrypted. The software must be certified by the FSTEC, cryptography systems (if any) are approved by the FSB.
So if for data protection of the lowest category - K4 - it is enough to ensure only data integrity, then for data of category K1 - a full range of data protection (often, including encryption and anti-data leakage).
An exhaustive list of software functions required by the database operator is as follows:
1. Protection against unauthorized access
2.
Anti- virus 3. Firewall
4. Cryptographic tools (for large companies where data leakage is possible)
and other protective mechanisms (you can see the guidance document FSTEC “Basic measures for the organization and technical security of personal data processed in personal data information systems”).
All computers in the network from which personal data is being worked on must be certified and contain software certified by the FSTEC (Federal Service for Technical and Export Control), and the network itself must be protected by a certified firewall.
Small firms, as a rule, use non-certified software, with which the firewall works without the FSTEC certificate (Traffic Inspector Gold).
Firewalls.The entire corporate network and each individual workplace should be protected not only from mass attacks with viruses, but also from targeted network attacks. To do this, it is enough to put a system for blocking unused network protocols and services, which makes the firewall. Often to the functionality of the firewalls are added and the means of organizing virtual private networks - VPN.
For a larger company, in order to reduce the cost of certification and the purchase of certified software, all work with personal data is usually transferred to a separate network and closed with a firewall ( Traffic Inspector FSTEC) - a system for blocking unused network protocols and services. The firewall protects each individual workstation and the corporate network as a whole not only from mass attacks with viruses, but also from targeted network attacks. To the functionality of the firewall added means of organizing virtual private networks - VPN.
The Traffic Inspector provides access to the Network both through a proxy server and through NAT (“transformation of network processes”). The advantages of sharing NAT and a proxy server are obvious: NAT is a universal way to provide Internet access, it also allows anonymizing traffic; proxy server - passes web requests through itself, protecting the system from unwanted information.
Software that allows you to configure an IT architecture that can protect a system with personal data includes: providing access to the Network; firewall and antivirus, checking the checksums of IP packets, the length of IP packets, filtering “broken” packets.
Any software installed in the company must be appropriately approved in the special documentation:
1. List of personal data protection means
2. Journal of accounting and storage of personal data
media 3. Installation of information protection means
4. The approved form of the act of writing off and destruction of electronic media Information
5. The approved form of the act of destruction of documents
6. Signed agreements on non-disclosure of personal data with third parties (organizations) or corresponding reservations in contracts and agreements (especially in the case of cross-border data transfer).
If the organization is changing software or hardware, then information about this in these documents must be displayed.
To summarize.A legal entity that operates with personal data (anonymized) or client data automatically becomes a data operator. Now in any organization there is a risk of violations in the processing and storage of personal data both when storing data on paper or electronic media, or in automated processing. The measures taken by a legal entity to ensure the security of personal data during their processing in information systems are evaluated during state control. Therefore, firstly, determine what class of data you are operating with (if you transfer information to the PF, then high class K1). Second, provide your system with a certified firewall. Thirdly, look at the sites of Roskomnadzor and FSTEC of Russia, where lists of scheduled inspections for compliance with the requirements of Federal Law 152 are published.