PD protection in small, medium and large organizations. Is everything going smoothly?
If we look at the overseas countries and their approach to the protection of personal data, we can see some difference with Russia, namely:
Take the Russian State, is still done the opposite. On this subject, I would like to write this article "about what I saw."
It is customary to submit any material to the reader, at least somehow classifying information, that is, breaking it down into sections, chapters, etc. I would like to convey to the reader the opinion that has developed as a result of the implementation of projects on personal data. The essence of the problem lies in the fact that in Russia the law on personal data (hereinafter referred to as PD) is just a burden for everyone, and that for the company, that for its employee or client. The company needs to independently, or with the help of a competent organization, protect personal data, teach employees to work with them, force customers to sign another piece of paper stating that they agree to transfer them to storage and processing. As a result, some problems and rules that must be followed.
A typical PD project is carried out in 4 global stages:
These steps are often divided into sub-steps in order to better understand the picture. This is done mainly for the customer. In this section I would like to touch on stage number 2.
On the part of the internal worker. Any project on PD, if it is done from scratch, involves writing a large pile of pieces of paper that regulate the work with these PD. In addition, typical forms of consent to processing, agreements with contractors, etc. And here the Russian approach leaves its mark: the pieces of paper are printed and lie on the shelf until the regulatory body arrives and checks them. Why is this done:
On the client side. The vast majority of people are not aware of the law governing the protection of PDs, and do not think about when they are passed on to any person to receive any services. Here you can give many examples: online shopping, ordering food at home, etc. Only after this BOOM passed, some part of the population began to think about it. But when the moment comes “My passport was on the main page in Google”, or “my wife found out that I was on a business trip in another hotel,” the person begins to think. In other cases, we are faced with the following:
As a result, the developed set of documents in which the rules for working with PD are written that will prevent their leakage does not work. Only a responsible person can make them work, for example, an information security specialist in the same company, but since there are basically no such people in companies (small and medium-sized organizations), and all responsibility rests with the person who best “communicates” with the computer , good results are not to be expected.
Everything is much more complicated here. we will divide the project for a large company, medium and small organization.
From a technical point of view, everything is simple. Basically, the entire infrastructure is built on Windows, with a maximum of 1 server for 1C, and several workstations. Information security tools (hereinafter referred to as SZI) are rolled up and configured quickly, usually there are no problems. That is, at this stage, from a technical point of view, everything is fine. Next is the process of learning how to work with SZI data. If you do not take identification / authentication mechanisms, the work turns into hell. In most cases, an employee perceives changes in his work very negatively, especially if it is related to technology. As a result, we get:
In conclusion: organizational and technical measures are implemented, employees are trained, PD is NOT protected .
Everything is more complicated here. Formed IT department or full-time system administrator. In exceptional cases, there is a safety guard. Configured infrastructure. This is where the problem begins. The introduction of SIS, valid from the point of view of regulatory authorities, is the restructuring of the current infrastructure. Typically, in such cases, ISPDs are separated into a separate segment and protected separately so as not to affect the overall architecture and harmonious work of the company. In this case, SZI has someone to administer, and this is a definite bonus. Again, employees are not enthusiastic that something is changing in their work, and the implementation of organizational measures to protect is fading into the background. Monitoring of their implementation rests with IT-specialists, who, in turn, are busy with more important things. As a result, we get:
In conclusion: organizational and technical measures are implemented, employees are trained, PD is NOT protected .
It’s even more interesting. IT department, security department, distributed information system, virtualization, a large number of corporate services, etc. Usually everything is protected by the mind, encryption, protection by all the rules and best practices. Here, and so everything is protected for good, but there is the word "certification". This spoils everything. Here you can write an article about each project, and not bring it under one template. But in the end, with the organizational part and with the technical, everything is fine. Responsible employees do their job. Users are trained, the process is controlled.
As a result, we get:
In conclusion: organizational and technical measures implemented, employees trained, PD protected .
In conclusion, I want to say. Protecting personal data is a good and necessary job if it is done correctly. But taking into account our realities, for small and medium-sized businesses this does not bring any results, only a waste of money. Again, I’m talking about the majority of organizations, but I haven’t seen a small business, which is fine with PD. I am not saying that it is not necessary to protect PD, but the approach should be different.
- the population is worried when they transfer their data to a company;
- the protection of personal data is not based on the principle “just not to get to the bottom”;
- companies with all responsibility and understanding spend money on various information security measures, on employee training, on updating and revising information security threats and risks.
Take the Russian State, is still done the opposite. On this subject, I would like to write this article "about what I saw."
Introduction
It is customary to submit any material to the reader, at least somehow classifying information, that is, breaking it down into sections, chapters, etc. I would like to convey to the reader the opinion that has developed as a result of the implementation of projects on personal data. The essence of the problem lies in the fact that in Russia the law on personal data (hereinafter referred to as PD) is just a burden for everyone, and that for the company, that for its employee or client. The company needs to independently, or with the help of a competent organization, protect personal data, teach employees to work with them, force customers to sign another piece of paper stating that they agree to transfer them to storage and processing. As a result, some problems and rules that must be followed.
Organizational part
A typical PD project is carried out in 4 global stages:
- Survey
- Development of an ARD.
- Development of a security system.
- Implementation.
These steps are often divided into sub-steps in order to better understand the picture. This is done mainly for the customer. In this section I would like to touch on stage number 2.
On the part of the internal worker. Any project on PD, if it is done from scratch, involves writing a large pile of pieces of paper that regulate the work with these PD. In addition, typical forms of consent to processing, agreements with contractors, etc. And here the Russian approach leaves its mark: the pieces of paper are printed and lie on the shelf until the regulatory body arrives and checks them. Why is this done:
- The employee does not understand why he needs these pieces of paper.
- When learning, this is forgotten after a month, since no one is following the requirements.
- Responsibility for disclosure ... ridiculous.
- The management checked itself that “PD is protected”, so there is no problem and there is no need to remember it.
On the client side. The vast majority of people are not aware of the law governing the protection of PDs, and do not think about when they are passed on to any person to receive any services. Here you can give many examples: online shopping, ordering food at home, etc. Only after this BOOM passed, some part of the population began to think about it. But when the moment comes “My passport was on the main page in Google”, or “my wife found out that I was on a business trip in another hotel,” the person begins to think. In other cases, we are faced with the following:
- Lack of interest in understanding what is being done with PD, where they are transferred.
- They do not protect, well, and do not.
- Sign the “PD transfer agreement”. What for? For what?
- Calm, while everything is calm and panic when PD leaked.
As a result, the developed set of documents in which the rules for working with PD are written that will prevent their leakage does not work. Only a responsible person can make them work, for example, an information security specialist in the same company, but since there are basically no such people in companies (small and medium-sized organizations), and all responsibility rests with the person who best “communicates” with the computer , good results are not to be expected.
Technical part
Everything is much more complicated here. we will divide the project for a large company, medium and small organization.
Small organization
From a technical point of view, everything is simple. Basically, the entire infrastructure is built on Windows, with a maximum of 1 server for 1C, and several workstations. Information security tools (hereinafter referred to as SZI) are rolled up and configured quickly, usually there are no problems. That is, at this stage, from a technical point of view, everything is fine. Next is the process of learning how to work with SZI data. If you do not take identification / authentication mechanisms, the work turns into hell. In most cases, an employee perceives changes in his work very negatively, especially if it is related to technology. As a result, we get:
- SZI installed, configured, but no one uses them.
- The main work of an employee is complicated by work with SZI.
- Someone has to service the data of SZI, and usually there is no such person.
In conclusion: organizational and technical measures are implemented, employees are trained, PD is NOT protected .
Mid-sized organizations
Everything is more complicated here. Formed IT department or full-time system administrator. In exceptional cases, there is a safety guard. Configured infrastructure. This is where the problem begins. The introduction of SIS, valid from the point of view of regulatory authorities, is the restructuring of the current infrastructure. Typically, in such cases, ISPDs are separated into a separate segment and protected separately so as not to affect the overall architecture and harmonious work of the company. In this case, SZI has someone to administer, and this is a definite bonus. Again, employees are not enthusiastic that something is changing in their work, and the implementation of organizational measures to protect is fading into the background. Monitoring of their implementation rests with IT-specialists, who, in turn, are busy with more important things. As a result, we get:
- SZI installed, configured, in most cases administered.
- The main work of an employee is complicated by work with SZI.
- ISPD does not ruin the current infrastructure.
In conclusion: organizational and technical measures are implemented, employees are trained, PD is NOT protected .
Large organizations
It’s even more interesting. IT department, security department, distributed information system, virtualization, a large number of corporate services, etc. Usually everything is protected by the mind, encryption, protection by all the rules and best practices. Here, and so everything is protected for good, but there is the word "certification". This spoils everything. Here you can write an article about each project, and not bring it under one template. But in the end, with the organizational part and with the technical, everything is fine. Responsible employees do their job. Users are trained, the process is controlled.
As a result, we get:
- SZI installed, configured, administered.
- The main work of an employee is complicated by work with SZI.
- ISPD does not ruin the current infrastructure.
- Organizational measures are carried out in accordance with the instructions and regulations.
In conclusion: organizational and technical measures implemented, employees trained, PD protected .
Conclusion
In conclusion, I want to say. Protecting personal data is a good and necessary job if it is done correctly. But taking into account our realities, for small and medium-sized businesses this does not bring any results, only a waste of money. Again, I’m talking about the majority of organizations, but I haven’t seen a small business, which is fine with PD. I am not saying that it is not necessary to protect PD, but the approach should be different.